Cybersecurity

Quick links

Updates

SingHealth, Singapore's largest healthcare group, has suffered a data breach in which hackers obtained personal information on 1.5 million patients, including their name, address, gender, race, date of birth, and National Registration Identity Card numbers, Ministry of Health of Singapore confirmed. The hackers also obtained information on the outpatient dispensed medicines' of about 160,000 patients, including Singapore's Prime Minister and few other ministers. The Ministry of Health of Singapore stated that hackers specifically and repeatedly targeted the Prime Minister's personal particulars and information on his outpatient dispensed medicine. The investigations by the Cyber Security Agency of Singapore and the Integrated Health Information System are underway and confirm that the cyber-attack was deliberate, targeted, and well-planned.

Cybersecurity researchers at F5 Networks and their data partner Loryka reported that cyber-attacks on Finland, which is not typically a top attack destination country, dramatically increased from 12 July until the Trump-Putin summit. The researchers claim that the majority of the attacks were brute force attacks against SSH, a type of attacks commonly used to exploit IoT devices online. According to F5 Networks, ChinaNet was the top network used to launch attacks from, both before the Trump-Putin summit and during the attack spike. However, researchers noted that there is no data to suggest the attacks against Finland were successful.

Microsoft detected and helped the US government block Russian hacking attempts against at least three congressional candidates in 2018, Microsoft’s corporate vice president for customer security and trust Tom Burt said at an Aspen Security Forum. The hackers sought to steal the credentials of candidates’ staffers through phishing attacks which landed them at a fake Microsoft domain. According to Microsoft, the fake domains were registered by Fancy Bear or APT 28, a Russia-linked group of hackers. Microsoft took down the fake domain and worked with the government to ensure none of the staffers was infected by the attack.

FBI Director Christopher Wray stated his belief that a compromise can be reached resolving the “Going Dark” problem. According to Wray, the government is committed to both strong encryption and to the fulfillment of its cybersecurity mission, and Wray believes both can be achieved with a technical solution. However, he stated that if the compromise can’t be reached, there are other remedies, such as legislation.

Following the statement of the US Deputy Assistant Secretary for Cyber and International Communications and Information Policy that the US can strike a deal on norms for government behavior in cyberspace with China and Russia at the UN, the Trump-Putin summit again brought up the idea of a joint Russian-American working group or task force which would protect future elections from hackers. The idea of a joint task force, criticised by experts, was first brought up in July 2017 by President Trump, and has resurfaced at the Helsinki summit where President Putin suggested that US and Russia work together to examine the evidence that Russia had meddled in the US presidential election. President Putin once again denied Russia meddled in the election, calling the accusations an utter nonsense.

Heads of State and Government participating in the meeting of the North Atlantic Council in Brussels 11-12 July 2018 issued the Brussels Summit Declaration. The Alliance will continue to implement cyberspace as a domain of operations, in accordance with international law.The participants reached an agreement on how to integrate sovereign cyber effects, provided voluntarily by Allies, into Alliance operations and missions in the framework of strong political oversight. The Declaration also recognized attribution as a sovereign national prerogative and gives Individual Allies the right to consider, when appropriate, attributing malicious cyber activity and responding in a coordinated manner. It expresses the determination to employ the full range of capabilities - including but not limiting to cyber - to deter, defend against, and counter cyber threats, including those conducted as part of a hybrid campaign. The Allies also expressed their determination to deliver strong national cyber defenses by fully implementing the Cyber Defense Pledge. The Declaration confirmed the establishment of Cyberspace Operations Centre, whose creation was announced in November 2017, which will be situated in Belgium and will provide situational awareness and coordination of NATO operational activity in cyberspace.

Cybersecurity is among the main concerns of governments, Internet users, technical and business communities. Cyberthreats and cyberattacks are on the increase, and so is the extent of the financial loss.

Yet, when the Internet was first invented, security was not a concern for the inventors. In fact, the Internet was originally designed for use by a closed circle of (mainly) academics. Communication among its users was open.

Cybersecurity came into sharper focus with the Internet expansion beyond the circle of the Internet pioneers. The Internet reiterated the old truism that technology can be both enabling and threatening. What can be used to the advantage of society can also be used to its disadvantage.

As a policy space, cybersecurity is in its formative phase, with the ensuing conceptual and terminological confusion. We often hear about other terms that are used without the necessary policy precision: cyber-riots, cyberterrorism, cybersabotage, etc. In particular, cyberterrorism came into sharper focus after 9/11, when an increasing number of cyberterrorist attacks were reported. Cyberterrorists use similar tools to cybercriminals, but for a different end. While cybercriminals are motivated mainly by financial gain, cyberterrorists aim to cause major public disruption and chaos.

Cybersecurity policy initiatives

Cybersecurity is tackled through various national, regional, and global initiatives. The main ones are described below.

At national level, a growing volume of legislation and jurisprudence deals with cybersecurity, with a focus on combating cybercrime, and more and more the protection of critical information infrastructure from sabotage and attacks as a result of terrorism or conflicts. It is difficult to find a developed country without some initiative focusing on cybersecurity.

At international level, the ITU is the most active organisation; it has produced a large number of security frameworks, architectures, and standards, including X.509, which provides the basis for the public key infrastructure (PKI), used, for example, in the secure version of HTTP(S) (HyperText Transfer Protocol (Secure)). The ITU moved beyond strictly technical aspects and launched the Global Cybersecurity Agenda. This initiative encompasses legal measures, policy cooperation, and capacity building. Furthermore, at WCIT-12, new articles on security and robustness of networks and on unsolicited bulk electronic communications (usually referred to as spam) were added to the ITRs.

A major international legal instrument related to cybersecurity is the Council of Europe’s Convention on Cybercrime, which entered into force on 1 July 2004. Some countries have established bilateral arrangements. The USA has bilateral agreements on legal cooperation in criminal matters with more than 20 other countries (Mutual Legal Assistance in Criminal Matters Treaties (MLATs)). These agreements also apply in cybercrime cases.

The Commonwealth Cybercrime Initiative (CCI) was given its mandate from Heads of government of the Commonwealth in 2011 to improve legislation and the capacity of member states to tackle cyber crime. Dozens of partners involved with CCI assist interested countries with providing scoping missions, capacity building programmes, and model law outlines in the fields of cybercrime and cybersecurity in general.

The G8 also has a few initiatives in the field of cybersecurity designed to improve cooperation between law enforcement agencies. It formed a Subgroup on High Tech Crime to address the establishment of 24/7 communication between the cybersecurity centres of member states, to train staff, and to improve state-based legal systems that will combat cybercrime and promote cooperation between the ICT industry and law enforcement agencies.

The United Nations General Assembly passed several resolutions on a yearly basis on ‘developments in the field of information and telecommunications in the context of international security’, specifically resolutions 53/70 in 1998, 54/49 in 1999, 55/28 in 2000, 56/19 in 2001, 57/239 in 2002, and 58/199 in 2003. Since 1998, all subsequent resolutions have included similar content, without any significant improvement. Apart from these routine resolutions, the main breakthrough was in the recent set of recommendations for negotiations of the cybersecurity treaty, which were submitted to the UN Secretary General by 15 member states, including all permanent members of the UN Security Council.

Actors

In an environment increasingly characterised by digital convergence, the EBU is working on supporting its memb

...

In an environment increasingly characterised by digital convergence, the EBU is working on supporting its members in their digital transformation processes, in promoting and making use of digital channels, and in identifying viable investment solutions for over-the-top (OTT) services. The organisation has a Digital Media Steering Committee, focused on âdefining the role of public service media in the digital era, with a special focus on how to interact with big digital companiesâ. It also develops a bi-annual roadmap for technology and innovation activities, as well as a Strategic Programme on Broadcaster Internet Services, and it has a dedicated Project Group on OTT services.

As part of its Emerging Security Challenges Programme, the GCSP has a cybersecurity cluster which tackles cybersecurity issues through education and training activities, as well as policy analysis and events. The cluster also provides a platform for dialogue and exchanges on cyber challenges, among cyber experts from the public, private, and civil society sectors. The training and education activities cover areas such as cybersecurity strategy formulation, cyber diplomacy, and broader capacity building initiatives (e.g. workshops and student challenges). Policy papers produced by the GCSP examine issues such as computer network defence, future challenges in cyberspace.

In the area of online content policy, the ICT for Peace Foundation is engaged in activities concerning the use

...

In the area of online content policy, the ICT for Peace Foundation is engaged in activities concerning the use of the Internet for terrorist purposes. The Foundation is organising events and producing publications on this issue, with the main aim of raising awareness and promoting a multistakeholder dialogue on possible solutions for countering terrorist use of the Internet. Together with the United Nations Counter-Terrorism Executive Directorate, the organisation runs a global engagement project working with other stakeholders to develop community standards around the prevention of violent extremism online, consistent with UN principles, including in the area of human rights.

Within the framework of its Digital Economy and Society initiative, WEF has launched the

...

Within the framework of its Digital Economy and Society initiative, WEF has launched the Internet for All project, aimed at bringing online tens of millions of Internet users by the end of 2019, initially through programmes targeted at the Northern Corridor in Africa, Argentina, and India. In addition to this project, WEF also undertakes research on Internet-access-related issues. One notable example is the annual Global Information Technology Report and the related Networked Readiness Index, which measures, among others, the rates of Internet deployment worldwide. Internet access and the digital divide are also addressed in the framework of various WEF initiatives such as its annual meetings and regional events.

The Global Cyber Security Capacity Centre has developed the Cybersecurity Capacity Maturity Model for Nations, a model to review cybersecurity capacity maturity across five dimensions, which aims to enable nations to self-assess, benchmark, better plan investments and national cybersecurity strategies, and set priorities for capacity development. GCSCC is also developing a model for understanding the harm experienced by nations as result of a lack of capacities. The Cybersecurity capacity portal, developed by the GCSCC in partnership with the Global Forum on Cyber Expertise (GFCE), is a global resource for cyber capacity building which enables sharing of practices and experiences.

The second World Internet Conference (WIC) - the Wuzhen Summit was held on 16-18 December 2015 with the theme 'An Interconnected World Shared and Governed by All'. Pursuant to discussions at the High-Level Advisory Council (HAC), the WIC Organising Committee proposed an Initiative outlining the following issues: promotion of Internet deployment and development, fostering cultural diversity in the cyberspace, sharing the fruits of Internet development, ensuring peace and security in cyberspace, and improving the global Internet governance.

Information and communications technologies (ICTs) have for long been described as key tools in achieving growth and development, on an economic, social, cultural, and political level. The continuous innovation in this area has led to the development of ICT applications that are now used not only as means of communications, but also in various fields such as e-commerce, e-government, e-health, etc.

The role of ICTs as instruments for achieving sustainable development at a global level has been recognised by various intergovernmental organisations, which have many times stressed the need to ensure that such technologies are globally accessible and can effectively be used to fulfill their developmental potential.

The Resolution emphasises the fact that ICTs can bring about significant political, economic, and social changes, and draws attention to the fact that more efforts need to be made in order to overcome the financial, economic, and social restrictions and barriers that hinder the use of ICTs in developing societies. A list of recommendations for parliaments and governments are then outlined. Parliaments are called on to make full use of ICTs to enhance the effectiveness, efficiency, and transparency of their activities, and better communicate with the citizens. They are also asked to take legislative actions aimed at creating an enabling environment for the dissemination, development, and secure use of ICTs. Governments, on the other hand, are urged to take measures for bridging the digital divide, in its various dimensions (including with regard to affordability of access, digital literacy, and gender equality). The Resolution also addresses the use of ICTs for criminal purposes, and it calls for enhanced national efforts and international cooperation in preventing and combating this phenomenon. The role of ICTs in facilitating the exercise and defence of human rights is outlined as well, and freedom of expression in cyberspace is reaffirmed as a key principle that needs to be respected.

As a follow-up to the adoption of this Resolution, the IPU and its member states have engaged in a number of activities aimed at promoting an enhanced use of ICTs as tools for development. As mandated by the Resolution, the IPU was involved in the 2003-2005 phases of the World Summit on the Information Society, and it was later designated as a co-facilitator for the WSIS Action Line C1 on ‘The role of public authorities and all stakeholders in the promotion of ICT for development’. In 2005, the Union set up a Global Centre on ICT in Parliament (in partnership with the United Nations Department for Economic and Social Affairs); one of the main objectives of this centre is to 'reinforce the role of parliaments in establishing the legislative frameworks required for the development of sustainable ICT policies and an inclusive information society’. The ‘World e-Parliament Report’ is another IPU activity worthwhile mentioning; the report look at the progress make by parliaments in using ICTs for exercising their constitutional functions.

The 2013 report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security "recognizes that the application of norms derived from existing international law relevant to the use of ICTs by States is essential to reduce risks to international peace, security and stability. The report recommends further study to promote common understandings on how such norms apply to State behaviour and the use of ICTs by States. Given the unique attributes of ICTs, the report notes that additional norms could be developed over time. The report reflects the Group’s conclusion that international law and in particular the United Nations Charter, is applicable and is essential to maintaining peace and stability and promoting an open, secure, peaceful and accessible ICT environment. The Group also concluded that State sovereignty and the international norms and principles that flow from it apply to States’ conduct of ICT-related activities and to their jurisdiction over ICT infrastructure with their territory; States must meet their international obligations regarding internationally wrongful acts attributable to them. The report contains recommendations on voluntary measures to build trust, transparency and confidence, as well as international cooperation to build capacity for ICT security, especially in developing countries."

The interactive format of the session was explained and the audience was split into three groups representing the perspectives of the manufacturer, the user, and the policymakers when discussing the different aspects of the Internet of Things (IoTs);privacy, security, and economics.

The group on policymakingunder thefacilitation of Tropina, built their discussions around the experience of the UK government in supporting the research and development of IoT and engaging with businesses and citizens to advance UK leadership in IoT applicability. The goal of their initiative is to propose commercial incentives for manufacturers to ensure the development of IoT for healthcare services, transportation and smart cities. The group came to the idea that privacy and security by design should be a priority for IoT devices and software. However, policymakers should work with the industry to set standards at the global level to ensure a cross-border flow of IoT technologies and devices, and most importantly, to prevent counterfeit which would endanger security and privacy tremendously. For this reason, it would be good to involve international standardisation organisations. Finally, the group agreed on the necessity to find reliable metrics for checking the progress of IoT deployment and how it really contributes to economic growth.

The second group’s discussion was led by Koch and focused on the manufacturer’s perspective, with most of the discussion being on security. However, as businesses, their foremost priority is to sell products, and it was roughly agreed that economics was the driving factor behind having security or privacy on the agenda for IoT manufacturing. Following the roll-out of the General Data Protection Regulation (GDPR), privacy and security became an economic consideration as well. Since businesses mainly run on consumer/user demand, the group also argued that demanding security was the consumer’s responsibility at the end of the day. The layers of security, from the design and manufacturing of the microchips to software, were discussed, and companies who take on all layers of production were mentioned as examples of efforts to increase product security. Another point made was that the IoT was not only there for end users and was not always connected to the Internet, but a big part of the industry was built upon business to business applications for logistics, manufacturing, transportation, environmental monitoring, industries and so on.

The third group focused on the user’s perspective andstarted the discussion by trying to formulate the questions that they saw as relevant to making informed decisions relating to connected products and devices, whether security was a concern, and how a consumer can learn about quality and security when it comes to devices whose technical functioning is not necessarily intuitive. Some of the other points raised by the discussion group include:

One of the key topics was whether users were ready to pay more for secured IoT devices, and participants agreed that price was a relevant component but not the only issue to be considered.

Information regarding the safety and security of connected devices need to be clear, objective and intelligible for non-experts,an excessive burden on vulnerable users who normally lack the necessary expertise will not improve the overall cybersecurity environment.

Whether through formal certification or informal mechanisms, users want devices to be tested and the results publicised, so as to ensure diversity and confrontation of views, as well as diversity of sources that are independent and, if possible, officially verifiable.

Children’s toys and devices may be a good starting point to raise awareness regarding the importance of privacy and security of connected devices, since people to tend to raise their concerns and awareness efforts when these interests are at stake.

The session continued with discussions comparing the messages and perspectives of policymakers, users and manufacturers. The question of the responsibility for security was debated in depth. Users put economics over security, which determine sector trends in IoT so education and awareness should be a priority. A solution can be that governments impose security by design on manufactures which would solve the security issue. Another important point to consider is imported products; is it a solution to tightly regulate imported IoT and have certifications? Participants from a technical background stressed that security is not a state, it constantly evolves, which poses an issue on who is responsible of security issues. In 10 or 20 years, if a manufacturer is long gone but the products are still in use who will governments and users address? Industry set standards can be a solution to these issues just like the CE standards for various products.

Final remarks included that current disclosures and disclaimers that come with connected devices were not sufficient. Additional regulation to the existing privacy regulation will likely be needed for the IoT. And in the near future, if there is a lack of consideration for privacy and security in the IoT, they may simply not be allowed on the European market.

Articles

A series of blog posts which explore the main dilemmas surrounding the Apple-FBI case. In these posts, three fictitious characters, Privarius, Securium, and Commercias talk about encryption, privacy, and security.

Publications

The latest edition of glossary, compiled by DiploFoundation, contains explanations of over 130 acronyms, initialisms, and abbreviations used in IG parlance. In addition to the complete term, most entries include a concise explanation and a link for further information.

The book, now in its sixth edition, provides a comprehensive overview of the main issues and actors in the field of Internet governance and digital policy through a practical framework for analysis, discussion, and resolution of significant issues. It has been translated into many languages.

Papers

The paper, elaborated by Microsoft, proposes a three-part organising framework for the cybersecurity norms dialogue: offensive norms, which are applicable to nation-states and concern self-restraint in the conduct of cyber operations; defensive norms, which are relevant to both governmental and non-governmental actors and adress defensive measures against nation-state activities in cyberspace; and industry norms outlining industry’s role in mitigating the risks facing technology users from nation-state activity in cyberspace.

The paper, elaborated by Microsoft, recommends six cybersecurity norms with the intention of reducing the possibility that information and communications technology (ICT) products and services are used, abused, or exploited by nation states as part of military operations.

The paper presents the results of an analysis of ten web standards with respect to two generic security goals: new web mechanisms should not break the security of existing web applications, and different newly proposed mechanisms should interact with each other gracefully.

Reports

The study provides an overview of the international dialogue on establishing norms of state behaviour and confidence-building measures (CBMs) in cyberspace. It offers a comparative analysis of the leading international and regional political documents outlining cyber-norms, CBMs to reduce conflict stemming from the use of ICT, and capacity-building efforts to strengthen co-operation on cybersecurity. It discusses how they could further influence each other, and notes several specific directions that further developments could take.

The report outlines predictions of the development of the technology, media, and telecommunications sectors in 2017. It covers issues such as: biometric security, distributed denial of service attaches, self-driving vehicles, 5G networks, machine learning, and Internet of Things as a service.

The report provides a snapshot of the state of deployment of DNSSEC as of the end of 2016. It addressed two main aspects for deployment of DNSSEC: DNSSEC signing (how many zones are signed using DNSSEC and have a chain of trust back to the DNS root), and DNSSEC validation (what recursive resolvers support DNSSEC, and how many clients are using DNSSEC-validating DNS resolvers).

This technical report analyses the compatibility or complementary of the Council of Europe Convention on Cybercrime (Budapest Convention), and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), in order to facilitate support to African countries in the reform of their legislation on cybercrime and electronic evidence. The report is based on a study by Zahid Jamil for the GLACY+ (Global Action on Cybercrime Extended) Project.

The report provides an overview of the US Department of Commerce’s policies in the field of digital economy over the course of the Obama administration. It covers area such as: management of the Domain Name System, privacy and security online, innovation and emerging technologies, and access and skills.

The report, prepared by the Global Commission on Internet Governance, outlines a series of recommendations to policy makers, private industry, the technical community and other stakeholders on modalities for maintaining a ‘healthy Internet’. It tackles aspects such as: the promotion of a safe, open and secure Internet, human rights for digital citizens, the responsibilities of the private sector, safeguarding the stability and resiliency of the Internet’s core infrastructure, and improving multistakeholder Internet governance.

The report, based on a survey of 1200 IT decision makers, looks at trends in the adoption of cloud computing within enterprises, and it explores issues related to cloud security (cloud security technologies, encryption, data loss prevention, etc).

Cyberspace has become an essential component of modern society, yet its merits are accompanied by threats. The number of reported cyber-incidents has increased the need to build cybersecurity competences, especially for protecting the critical infrastructure.

The study Cybersecurity Competence Building Trends, conducted by DiploFoundation’s researchers Vladimir Radunović and David Rüfenacht, analyses measures that ten OECD member states have applied to promote competence building in the field of cybersecurity. The study was commissioned by the Federal Department of Foreign Affairs of Switzerland.

The increasing dependence of the corporate sector on the Internet has also created a demand for qualified labour, which is being recognised by states as a possible driver for employment, economic growth, and global competitiveness. All the studied countries are developing the means to transform their national labour markets to meet this changing environment.

Eight dominant cybersecurity competence-building trends were identified in the study, and clustered within two categories:

Measures for strengthening the academic programmes, with long-term effects.

Measures related to professional training and knowledge frameworks, with shorter-term effects.

The first category includes measures such as: governmental support for university programmes; regional partnerships between research labs and multinational companies, aimed at increasing the country’s or region’s competitiveness in global cybersecurity markets; partnerships between universities and state security institutions; and university labelling programmes aimed to better correlate the curricula with the needs of public institutions.

One key trend in the second category is the collaboration between public institutions and professional certification bodies, leading to a soft standardisation of the minimum knowledge and ability requirements for cybersecurity personnel.

Other trends include: measures to improve the competences of the private sector, especially small and medium enterprises and operators of critical infrastructure; cybersecurity training for decision-makers, managers, and senior executives; as well as the development of cybersecurity-related job descriptions, and the definition of the required knowledge training for such jobs.

The study concludes by saying that the identified trends lead not only to the development of national competences for responses to cyber-threats, but also to the consolidation of cutting-edge cyber-industries that increase the competitiveness of states in the global cyber-markets.

The study analyses the different approaches the EU member states take to protect their critical information infrastructures, and makes recommendations to EU member states and the European Commission on how to improve critical information infrastructures protection (CIIP) in the European Union.

The report analyses a number of global risks (such as tensions between countries, unresolved crises, terrorist attacks, cyber fragilities), and looks into how these could evolve and interact in the next decade. The breakdown of critical information infrastructure and networks and large scale cyber-attacks is included among the most concerning global risks for 2016.

The document, produced as part of the IGF 2015 inter-sessional work, looks at misconceptions around the role and responsibilities of Computer Security Incident Response Teams. It also provides successful examples of new forms of cooperation and outreach that CSIRTs could engage into, in order to be better heard within the wider Internet governance community.

This report examines and documents evolutions and emerging opportunities and challenges in the digital economy. It provides a comprehensive overview of the digital economy, including matters of infrastructure, policy, net neutrality, development, privacy and security.

The report provides an assessment of Internet security and best practices for mitigating online threats (malware and botnets, phishing and social engineering, attacks against domain names and IP addresses, mobile and voice threats, threats associated to hosting and cloud services, and online harassment).

The report measures the level of cybersecurity development of ITU member states, with a focus on five areas: legal measures, technical measures, organisational measures, capacity building, and international cooperation.

The document, produced as part of the IGF 2014 inter-sessional work, provides an overview of the roles and responsibilities of Computer Security Incident Response Teams (CSIRTs), and looks at both accomplishments and challenges facing their activities.

GIP event reports

Cybersecurity and privacy represent two interconnected aspects. Legal frameworks are mandatory in any cyber context because of the amount of personal information that needs to be protected while keeping up with the speedy evolution of technologies. Data is essential for Internet of Things (IoT) devices; indeed, by 2025, there will be over 20 billion connected devices. The session was moderated by Mr Marcin Cichy (President of the Office of Electronic Communications (UKE) of Poland). It focused on privacy considerations within the context of artificial intelligence (AI) and IoT, including references to the General Data Protection Regulation (GDPR).

The first speaker was Mr Mohammad N. Azizi (Chairman of the Afghanistan Telecom Regulatory Authority (ATRA)). He explained how the information technology landscape is in constant evolution and how most of data is generated from online and offline platforms. Thus, IoT will further transform the way we think about data and the way we use it. With the application of AI to IoT devices, the cybersecurity aspect becomes a crucial one. As a result, law enforcement agencies and regulators cannot work in silos, they need to work together. Regulators need to focus on how data is collected, while law enforcement should focus on how the data is used. Collaboration is necessary for going forward.

The second speaker, Mr Giampiero Nanni (Government Affairs of Symantec) talked about the impact of privacy in the context of Shadow IT, defined as information technology systems that live inside an organisation without explicit organisational approval. Thus, privacy issues are raised when dealing with data put into the cloud through these applications. Finally, he further argued that IoT is a ‘time bomb’ because it does not have provisions in terms of security.

The third speaker, Mr Aaron Kleiner (Director, Industry Assurance & Policy Advocacy at Microsoft) spoke from a deep industrial perspective explaining how technology companies think about security and adding Microsoft’s experience as an example. He argued that a change in people’s mindset is needed: approaches need to move from a security bolt at the end of production – to putting security in the core of production. In addition to that, an operational assurance framework should be put into consideration. Over the years, societal technology reliance reached policymakers. From the technology sector’s perspective, it is up to them to understand how to improve cybersecurity. In regards to this, he recalled Microsoft’s publication, The Future Computed: Artificial Intelligence and Its Role in Society. He finished his argument by stating that there is a need for time to identify and articulate the key principles of making AI, and enabling people to achieve more. The tech industry is collaboratively looking at AI. To this extent, a public-private dialogue should be fostered. With regards to the GDPR, he argued that it has a significant impact on the private sector, arguing that privacy represents the foundation for trust between the private sector and consumers.

The fourth speaker, Mr Luigi Rebuffi (Secretary-General of the European Cybersecurity Organization (ECSO)) argued that a right balance between monitoring activities and cybersecurity does not exist. It depends on various aspects, such as the cultural environment. Recently, surveillance has switched from physical surveillance to digital surveillance of data and information. He stated that it is a kind of surveillance that we, as citizens, are providing to society. Moreover, society will evolve with the increase of connected devices. With regards to privacy, a recurrent, still open question is: does privacy still exist? There is a need to find a pathway for the balance between the increase of security and the correct use of data. Furthermore, there is a need to educate both protectionists and also, citizens.

The fifth speaker, Ms Raquel Gatto (Regional Policy Advisor of the Internet Society (ISOC)) recalled ISOC’s publication the 2017 Internet Society Global Internet Report: Paths to Our Digital Future. She explained that the research identified six different drivers: cyber threats; AI; IoT; the role of governments; network standards; and Internet economy. Despite the apocalyptic view about jobs that will be lost, there is room to be optimistic: technological evolution can be used for better social development. With regards to cybersecurity, it has to be considered during the first stages of development, and it is up to regulators to change this mindset. She argued that this is already happening in the case of the IoT framework of the Online Trust Alliance (OTA). However, work should also be done on the prevention side. Finally, she concluded her speech by trying to answer the question ‘does privacy still exist?’ She argued that yes, it does, and it is about being aware of your data. Thus, no law will bring a definitive solution, but an efficient way to achieve privacy is to a collaborative by all stakeholders.

The sixth speaker was Mr Ivo Lõhmus, Vice President Public Sector of the Guardtime AS, who talked about the use of blockchain in the implementation of the use of data. He explained how blockchain technology works and explained that one important feature of blockchain is the immutability of data. As a result, this can have negative implications with regard to human rights such as the right to be forgotten.

The final speaker was Mr Vincenzo Lobianco (Chief Technology and Innovation Officer
(Autorità per le Garanzie nelle Comunicazioni) of Italy). He talked about the Italian experience in terms of a best practice example. There is a new paradigm in place: the use of IoT means that several different actors are involved in the collection and elaboration of data. They all have a common feature: they need a communications infrastructure to send data directly to the centre, to the cloud. The telecom regulator has to understand the need for working with different sectors. In conclusion, he gave three main examples of collaboration: the energy sector with smart metering; the transportation authority; and finally, the large investigation of big data and economy.

This side event introduced the StaTact toolkit, developed by UN Institute for Training and Research (UNITAR) and the UN Statistics Division (UNSD) to assist governments in solving measurement problems related to the 2030 Agenda. Mr Nikhil Seth (Assistant Secretary-General of the UN and Executive Director of UNITAR) highlighted current gaps in the methodology and data needed to monitor sustainable development goal (SDG) indicators, which provide challenges even for advanced statistical offices. Seth explained that StaTact aims to help countries identify and respond to such measurement challenges.

Mr Stefan Schweinfest (Director of the UN Statistics Division) called for greater focus on capacity building to enhance financial, human, and institutional capacity for monitoring the SDGs. In this context, there is a need to improve the organisation and management of statistics and develop integrated national and sub-national development programmes with a strong focus on data, especially in least developed countries. StaTact provides an opportunity to support such programmes with strengthened statistical systems.

Mr Einar Bjorgo (Director, Division for Satellite Analysis and Applied Research, UNITAR) provided an overview of the development of StaTact, which was born out of a partnership between UNITAR and UNSDm and involved consultations with UN country teams and regional commissions, before going into a process of iterative design and pilots to improve its functionality. The tool takes a tactical approach to allow for quick solutions to practical measurement problems, rather than offering long-term strategic support.

Ms Elena Proden (Specialist, Strategic Implementation of the 2030 Agenda, UNITAR) elaborated on the use of the tool, which includes multistakeholder workshops that aim to develop a realistic action plan that can be implemented within 6-12 months. She highlighted that the tool is particularly useful when there is no national strategy, when there are obstacles impeding the implementation of strategies, and when current strategies need to be reviewed or redirected. In addition, the tool ensures the alignment of statistics with SDG indicators and promotes a bottom-up approach to the localisation of these indicators.

Mr Gabriel Gamez (Inter-regional Adviser at the UN Statistics Division) emphasised the value of statistics in converting raw data into information and knowledge that can be communicated to decision-makers. In this process, it is important to be agile and flexible in the design of statistical models while standardising the collection, analysis, storage, and dissemination of statistics. Noting the value of independent and objective official statistics, he explained that the UN General Assembly has put official statistics at the core of the SDG indicator framework (see A/RES/71/313). To be able to meet this challenge, national statistical offices need to modernise and strengthen their infrastructure, know-how, and management. StaTact helps statistical offices to identify quick wins that can help them move forward in their transformation.

Throughout the pilots, the greatest obstacles for national statistical offices seem to be related to interoperability, coordination, granularity and methodology; and solutions have been found in the establishment of coordinating groups, the exchange and access to non-traditional data, the development of new approaches, and the improvement of management support and finance.

Following the introduction of StaTact, three representatives of statistical offices shared their experience in using the tool. Mr Iwan A. Sno (Director of the General Bureau of Statistics of Suriname) explained that the tool has been useful to raise awareness and encourage action, to improve communications, and to assess gaps in statistical frameworks, although there are certain technical elements that could be improved. Mr James Muwonge (Director of Socio-Economic Surveys at the Uganda Bureau of Statistics) explained how the tool has been useful in identifying the need to harmonise different interpretations in the measurement of youth employment and develop a common definition. Mr Tchaou Meatchi (Director of Planning and Development Policies of the Ministry of Planning of Togo) presented the ways in which the tool helped to identify an action plan to address the lack of disaggregated data on undernourishment in Togo. Closing the session, Gamez expressed the hope for the tool to become ‘fully accessible and universal’.

This high-level roundtable brought together experts from academia to present the ITU BDT AI For Development Series, highlighting its key findings and recommendations. It was moderated by Ms Régina Fleur Bessou Assoumou (Chair of the ITU-D Study Group 1) who introduced the panellists by asking about the key issues that can be encountered when dealing with policy makers.

The first panellist, Dr Urs Gasser (Executive Director of the Berkman Klein Center for Internet & Society at Harvard University and Professor of Practice at Harvard Law School), argued that policy makers and regulators are wrestling with how to approach the next wave of technology. Recurrent issues are the asymmetry of information and siloed conversations, and solutions that benefit everyone need to be considered. Questions about inclusiveness and the future of jobs should be part of the conversation, as well as discussion on the governance instruments available.

The second speaker, Dr Gyu Myoung Lee (Adjunct Professor at KAIST) spoke about the use of data, algorithms and blockchain. In order to provide convenient and smart services, the application of AI is essential. Thus, there is a need for new ecosystems that facilitate data sharing. Moreover, concerns over technical issues and about trust related to the use of blockchain need to be addressed.

DrMichael Best (Director of the United Nations University Institute on Computing and Society (UNU-CS), Professor, Sam Nunn School of International Affairs and the School of Interactive Computing, Georgia Institute of Technology) argued that AI inevitably falls under ethical and social implications. Thus, ethicists on the cutting-edge of AI are needed. Moreover, there is a critical need for a robust information sharing infrastructure.

AI creates both opportunities and risks; however, the best way to address these challenges is to have a fair and diverse all-round discussion.

The second day of the Global Symposium of Regulators started with the opening remarks of Mr Houlin Zhao (ITU Secretary-General) who talked about regulation in relation to the digital economy. The agenda then moved to the leadership debate. It brought together leaders and experts to discuss the challenges of using artificial intelligence (AI) as well as the opportunities it brings, and how emerging technologies are expanding regulatory frontiers to new horizons. The role of policy makers and regulators is being questioned by digital transformation and the new categories of digital opportunities. This session explored the opportunities of AI for improving services such as e-government. With this opportunity in mind, it is necessary that regulators are able to address the different concerns related to the changing landscape, by identifying both the challenges and opportunities. The session was moderated by Mr Brahima Sanou (Director of International Telecommunication Union, BDT) who introduced the session topic by underlining the ‘huge’ opportunities of emerging technologies, while pointing out the need for awareness.

The first speaker, Mr Sorin Grindeanu (President ANCOM (Romania) and GSR-18 Chair), talked about 5G technologies and the spectrum allocation for implementing them. He used the example of Romania drafting its 5G strategy to highlight that the rapid growth of wireless broadband requires a wireless electronic communications network. Millions of people will be connected, and a new range of applications will be available. The regulation process has to be able to harmonise standardisation.

The second speaker, Mr Ajit Pai (Chairman of the Federal Communications Commission (FCC) of the United States), recalled that the term ‘artificial intelligence’ was coined sixty years ago by Prof. John McCarthy in his research to find a machine that could reason like a human; indeed, he believed that ‘to proceed on the basis of the conjecture that every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it’. Speaking about the opportunities created by AI, he mentioned an FCC project to develop new technology to assist people living with disabilities, and Seeing AI, one of this year’s winners. It is an app by Microsoft that uses AI and deep learning tools to narrate the visual world with spoken audio or real-time text for those with visual impairment. Pai said that he recognises that AI is changing every social and economic aspect of our society. With this in mind, the FCC will hold a forum on the impact of AI and machine learning in the communications market. He then proposed some guiding principles that would set the stage for a policy environment that encourages the development of new technologies and high-speed networks. First, regulatory humility is needed to avoid new technology being forced into old frameworks. Second, governments should facilitate innovation and investments. Third, making the spectrum for wireless services free and available for flexible use. Finally, make the access to new technology universal.

The third speaker, Mr Mahmoud Mohieldin (Senior Vice President of the World Bank Group), argued that there is a need for strategy and policies to deal with opportunities and challenges of information technology. He added three examples of resistance to change and resistance to technology: the reaction of the former Mexican President, Santana, who was against the introduction of steam engines; England’s prohibition of automated machines in sock production; and the initial concerns about Jakar machines. He then moved to more recent successful example – the M-Pesa mobile phone payment system – used in Kenya. His main point was that at the moment, it is enough to have one specific strategy. There is a need for a global and comprehensive approach and strategy. He introduced the three ‘Bs’ concept: building, boosting and brokering through the implementation of public-private partnerships. Finally, he talked about some positive applications of emerging technologies, such as big data for social good and the IT4D.

The fourth speaker, Ms Anastassia Lauterbach (Author of ‘The Artificial Intelligence Imperative’, and International Technology Strategist Adviser and Entrepreneur), argued that AI is one of the most powerful technologies. Indeed, she pointed out that among the ten top companies in the world, five are ‘AI first’: Google, Facebook, Microsoft, Apple and Amazon. The ‘AI first’ feature can be defined as the focus on investing in their own semiconductors to provide hardware capabilities for data mining. These companies are investing in fundamental AI research. She talked about three main risks than could be encountered while dealing with AI: design mistakes – biases in technology reflecting the technology’s creator; malicious intent – unethical behavior of the system; and, the absence of humans in the collecting and analysing of data. This led her to address concerns over the ethics of AI, related to the governance of AI safety, the decision-making guidelines for autonomous systems, the incentive design for autonomous systems, and the goal alignment between autonomous agents and humans. Finally, she concluded her speech by discussing social governance in AI, which includes actors such as municipalities, schools, AI companies and organisations.

The session was closed by Dr Kemal Huseinovic (Chief of the Department of Infrastructure, Enabling Environment and E-Applications at the ITU/BDT). He argued that everything we love about civilisation is a result of human intelligence; and AI can foster that. The more we rely on technology, the more we need to trust this technology and the question on how we can ensure this trust is not only essential, but it raises ethical issues that require the engagement of policy makers.

The Opening Session of the 2018 Global Symposium of Regulators (GSR-18) began with speeches from Mr Brahima Sanou (BDT Director of the International Telecommunication Union (ITU)), Mr Sorin Grindeanu (President of the National Authority for Management and Regulation in Communications (ANCOM) of Romania, and Chair of the GSR-18), Ms Nerida O'Loughlin (Chair and Agency Head of the Australian Communications and Media Authority), Mr Mahmoud Mohieldin (Senior Vice-President of the World Bank Group), and Mr Manish Vyas (President of Communications, Media and Entertainment Business, and CEO of Network Services at Tech Mahindra). They introduced the topic of the symposium, New Regulatory Frontiers, by stressing the need to understand how Information and Communication Technologies (ICTs) and Internet of Things (IoT) devices can both change our daily life, as well as but pose important challenges. It is important to understand that the application and implementation of new technologies challenges everything in the daily life of people and businesses.

Session 1:AI and Cybersecurity – The State of Play

The first session of the Global Symposium of Regulators (GSR) focused on emerging technologies such as Artificial Intelligence (AI), both in terms of emerging threats and vectors strengthening and improving the effectiveness of cyber-attacks. The session was moderated by Mr Joe Anokye (Director-General of the National Communication Authority (NCA) of Ghana) who introduced the discussion by exploring the current situation, and the relationship between AI, the Internet of Things (IoT) and cybersecurity. For instance, according to Anokye, AI should be considered with regards to its application in IoT devices: AI allows IoT’s devices to be intelligent. However, attention should also be given the occurrence of cyber-attacks. In the past two years, these attacks have increased. As a result, questions are arising related to the regulation of technologies that are still hard to understand.

The first panellist was Dr Kemal Huseinovic (Chief of the Department of Infrastructure, Enabling Environment and E-Applications, ITU/BDT). He talked about the dual use concept of AI. Indeed, AI can be used for good, as well as being the means for cyber-attacks. Thus, it is necessary to support research and engage with different stakeholders using a multistakeholder approach.

The second panellist was Mr Philip R. Reitinger (President and CEO of the Global Cyber Alliance). He argued that AI can improve the chances and abilities of the defender. To this extent, the notion of risk has to be contextualised. The risk of cyber-attacks is growing because of three factors: complexity, criticality and connectivity. The IoT is going to push these factors exponentially. He proposed thinking about security, not in terms of securing things, but in terms of securing the Internet and the network on which things work and are connected. He argued that the current use of the domain name system is a good way to protect IoT. Moreover, in the long term, there is a need for strong authentication, use of automation, and interoperability.

The third panellist was Mr Manish Vyas (President of Communications, Media and Entertainment Business, and CEO of Network Services at Tech Mahindra). He followed the line of the previous argument: using AI to enable IoT systems. Currently, there is consensus on taking advantage of technology and balancing its negative implications. He further argued that ‘the world of innovation has changed – has changed for good and forever’. However, there is a need to gain the trust of intermediaries.

The fourth panellist was Ms Giedre Balcytyte (International Development Director NRD Cyber Security). She started her speech by explaining the concept of cyber resilience and how essential it is to have infrastructure in place, to rely on for resilient purposes. Technology is often used as a means for development and modernisation; however, it must be understood that technology does not tackle issues by itself. Moreover, in order to have an effective system in place, there is a need to emphasise the capacity of the organisations and to understand that knowledge has to move and adopt faster.

The fifth panellist was Mr Serge Droz (Director of the Board Forum of Incident Response and Security Teams). He talked about the danger of the evolution of large scale attacks and the effects they could have. The human component in the management of response situations has to be implemented; and it has to be implemented through collaboration on a large scale. Indeed, it is necessary to communicate because of the global scale and extension of the various issues.

The sixth panellist was Mr Neil Sahota (IBM Master Inventor and WW Business Development Leader IBM Watson Group) followed along the same lines. He stated that risk does not necessarily have a negative connotation and that the main danger we should consider is whether there is a possibility of creating AI that is the ultimate hacker.

The final speaker was Mr Aleksandar Stojanovic (Executive Chairman and Co-Founder AVA). He argued that the missing key element to collaboration is trust. The market is more and more fragmented, and the combination of AI and technology is to some extent extremely new. Thus, the question of trust is migrating to the hardware level. There is a need to trust the impressive amount of information and data coming in. Ensuring the trustworthiness of information will become the pillar of trustworthy AI.

Replying to questions from the audience, the panellists argued in favour of a regulatory framework that merges bottom up and push down approaches, stating that a micro regulatory framework for technology would be dangerous. Moreover, further issues discussed were the concept of trust and interoperability of devices; and the fact that a framework does not necessarily have to come from the regulatory side, but it could also be from the market side.

The final session of the day brought together experts from the private and public sectors and academia. The focus of the session was to identify the next steps that have to be taken in order to improve national policies and strategies, create opportunities to implement ICT services for citizens, and generate social impact and economic development.

The session featured the speeches of Mr Mika Lauhde (Vice President Cyber Security & Privacy of Global Public Affairs, Huawei Technologies Co., LTD), Mr Dan Tara (Vice President of Positive Technologies), Dr Ram-Sewak Sharma (Chairman, Telecom Regulatory Authority of India (TRAI) of India), who introduced the audience to the concept of ‘electronic consent artifact’, Mr Jacques de Werra (Professor of Contract Law and IP Law, Vice Rector of the University of Geneva), and Mr Alan Gush (Senior Director of Cyber Solutions, Comtech Telecommunications Corp.).

The private sector stressed the contradictory situtation in which – the regulators ask for secure networks – but do not provide exhaustive guidelines on how to achieve that. Operators are often not ready. From an academic perspective, the future of education is deeply connected with the future of work, and it is crucial to prepare students for the challenges they will face in the work environment. However, formal higher education could and should be complemented with self-study and certification.

The session was closed with a speech by Mr Yushi Torigoe (Deputy to the Director and Chief of Administration and Operations Coordination Department at the ITU). He stressed the need for collaboration between different stakeholders to effectively tackle emerging issues. He proposed a three pillar approach based on: corporation, collaboration and coordination, while highlighting and recalling the five pillars on which the ITU is based: legal, technical, organisational, capacity building and international.

The application of Artificial Intelligence (AI) for malicious purposes can increase the impact of cyber threats on information and communications technology (ICT) networks. However, AI can also be used to strengthen cyber defense and to improve cybersecurity and create new competences, skills and jobs. The second session of the GSR – 18 focused on the positive application of AI to strengthen the security of ICT infrastructures and services, while having a positive impact on the workforce and end users. The session was moderated by Mr Stephen Bereaux (Chief Executive Officer Utilities Regulation and Competition Authority (URCA) of the Bahamas) who introduced the panel, stressing that the key aspect in the regulatory mandate is to understand what these new technologies are, and how they will impact the regulatory frameworks.

The first panellist was Mr Benedict Matthey (Account Executive at Dark Trace). He explained how large organisations are already able to launch attacks; however, the increased availability of learning machines has made small organisations able to launch attacks as well. Thus, the complete visibility of all organisations’ devices is needed. To this extent, organisations need to make sure that it is clear what is going on in the network. The application of AI can enable humans to go beyond their limits: despite attackers using AI, defenders can also use it in tackling security issues because it saves time and is efficienct.

The second panellist was Mr Michael Nelson (Tech Strategy at Cloudflare). He talked about the misconception about AI and learning machines which results in ineffective and counterproductive policies. He talked about these misconceptions in terms of myths:

The term ‘artificial intelligence’ is often believed to be a useful term; however, its definition is too broad and refers to too many aspects.

One myth about the Internet of Things (IoT) is that it is different from the Internet. With regard to his, he argued on his Twitter account (@MikeNelson) that ‘We are not going to “fix” the IoT by replacing the Internet’.

There is a misconception about the possibility of controlling software; however, this is unpractical.

Regulating AI by controlling algorithms and making companies disclose their algorithms and software does not work. Software evolves minute by minute because of the amount of data that is put into it.

The need for standards and check-lists that define how IoT devices work with the relative proposal of implementing outdated security solutions for all devices should be considered as an additional cost and a subtraction of incentives for innovation.

The final misconception is that we need to create a global framework for securing IoT devices. However, an alternative solution is to rely on the ‘programmable cloud’ to create techniques for securing the different types of IoT applications. To this extent, the main key is the interoperability of devices.

The third panellist, Mr Graham Butler (Chairman at Bitek Global Limited) stressed that the quick evolution of the network means that we see 2.5 million attacks carried out every 20 minutes. Moreover, he underlined that rules on voice telecommunications exist and are applicable, while there are no rules on data. This results in an enormous loss of income. Moreover, policy and law enforcement actors are facing problems because of encrypted traffic: 50-60 % of attacks are encrypted and this creates challenges for law enforcement when it comes to prosecuting the attackers. He finished by saying that the World Wide Web in any country belongs to that country, and that it is that country’s duty to protect it.

The fourth panellist, Mr Ilia Kolochenko (CEO at High-Tech Bridge) argued that the purpose of using AI from a big firm’s perspective is based on the idea that AI technologies solve problems and diminish the costs. Thus, before trying to implement AI, it is important to understand its practical features within the context of the firm.

The fifth panellist, Mr Stefano Bordi (Vice President Cyber Security of Leonardo Company) argued that the cyber defense capability can be described by the coexistence of technology, procedures, processes and people. With regards to the activities of cyber defense centres, he stressed that the application of AI can be implemented in the prevention phase of the activities. Despite he fact that the cybersecurity aspect will always be ‘in front of the monitor’ and the control system, the new cybersecurity experts will need to change their competency package.

The sixth panellist, Ms Miho Naganuma (Manager Regulatory Research Office and Cyber Security Strategy Division at NEC Corporation) argued that in order to liberate AI, we need to face four issues: data, information, knowledge and intelligence. AI gives intelligence features to the devices it is applied to. Thus, for this intelligent part to support human activities, it needs to have broader views for solving issues. In line with the previous statement, he said that in the near future, many processes will be automatised, thus highly skilled people will be needed.

The last panellist was Mr Guido Gluschke (Co-Director of the Institute for Security and Safety, Brandenburg University of Applied Sciences). He started his speech by recalling the history of nuclear weapons and the relative discussion on the international level. He underlined that after the Stuxnet attack, nobody discussed the cybersecurity aspect of the topic. It took five years to make regulators feel confident in ruling about cybersecurity; yet, today there is still no clear understanding about cyber threats. In his closing, he advised including cybersecurity in nuclear security plans and then having a discussion on the topic. There is a need for regulators to understand the topic in its specificity and to act on a co-operative basis, by supporting nation states in the implementation of the policies. Education is a key factor and has to be implemented. Finally, a multistakeholder approach is necessary.

This meeting was organised by the United Nations Interregional Crime and Justice Research Institute (UNICRI) and focused on technology, security and development. Furthermore, the event also brought attention to the SIRIO Project (Security Improvements through Research, Technology and Innovation), meant to identify emerging risks and their possible technological solutions. The global impact of technological changes, such as, but not limited to, artificial intelligence (AI), data science, blockchain, and robotics, has both opportunities and challenges. Technology can contribute to the achievement of the sustainable development goals (SDGs) while representing the means for organised cybercrime.

The first panel discussion focused on big data visualisation technology as a means to fight organised crime investments in the legal economy. Mr Jean-Maire Le Goff (CERN) talked about the experience of the Italian government in fighting organised crime through the use of big data. It was a combination of the unique expertise of CERN in the visualisation and interpretation of big data, and the big data that Italy produces with regards to organised crime. He explained that visual analytics has to be combined with a deeper analysis of the data. Visual analytics combines automatic analysis techniques with interactive visualisations. Humans do not have the capacity to process data the way a computer does, but they can decide how to visualise the data, once processed.

Mr Francesco Marelli (UNICRI) complemented Le Goff’s contribution by explaining how the pilot case study was conducted, through a combination of three tools. The first one was the dataset made available by the Italian government, about all the assets confiscated in relation to organised crime over a period of 70 years. The second was a digital platform to navigate through the data and results, made available by CERN. The final tool was a combination of ’domain experts’ and ’data scientists’. The first result of the pilot study was the possibility to map where the organised crime groups invested in the Italian economy and the relative magnitude of the confiscation, and made an analysis based on different regions (Sicily, Calabria, Campania and Lombardia). Moreover, it was possible to focus on the specifics of such business investments and the relative type of sectors organized crime groups were investing in. This pilot study was then proposed as an expanded prototype. Indeed, the dataset was incremented with additional information, such as court judgements and data from local non-governmental organisations (NGOs). In this way, it was possible to identify the organisational features, financial capacity, and the relative connections (and straw man) of the organised crime groups: the researchers were indeed able to understand for each organised crime or ‘mafia’ group, their organisation, decision-making patterns and vulnerabilities. Finally, in terms of prediction, it is clear that crime cannot be anticipated; however, with regards to crimes that happen with regularity, some patterns can be identified.

The second topic of the panel discussion was virtual reality for law enforcement training, addressed by Mr Sergio Olivero (SiTI, Italy). He argued that there are two main categories of disasters: those that are natural, and those that are man-made, in which many actors are involved, from governmental authorities, to citizens, communities, and volunteering society. He explained that training is essential for effective emergency management; however, traditional training has a series of problems in terms of costs, time, and involvement of professionals. Moreover, traditional training is hard to assimilate if it is done in a classroom. In this regard, simulations are effective alternatives and inevitable training tools. A simulation is an artificial environment created with software to make people feel as if they are in the real world. In applied science, simulation means a model of reality that enables the evaluation and forecast of the dynamic evolution of a series of events and processes defined by the user. It has several features: it is immersive, interactive and versatile. From simple video games to serious games, the phenomenological approach is indeed able to create simulation as close as possible to real life. In serious games, the operator understands what happens in the situation; however, it is with a phenomenological approach that it is possible to reproduce the physical events and processes in order to reduce the cost if the training. A crucial point is that advanced technologies make the use of such technologies inevitable. Moreover, training using virtual reality has several benefits in terms of time, costs, efficiency, security and safety, geographical barriers; and, in terms of monitoring, it is possible to always have the trainees under watch. Finally, it must be noted that we must differentiate between virtual reality and augmented reality. The former is an artificial, computer created simulation, while the latter identifies an interactive experience of a real-world environment.

The third topic, tools for rapid response to emerging crimes, was addressed by Mr Mikael Blomquist Jensen (UNICRI). He explained that the overarching goals are aligned with Goal 16 of the UN 2030 Agenda, to promote peace, justice and strong institutions. He explained UNICRI’s specific goals to promote national, regional and international co-operation for shared concerns and emerging crimes. He explained that the international rapid response pattern that they use is structured around four pillars:

Action oriented research

Tailored capacity building

Good practice

Rapid response

Law enforcement is challenged by the dynamic evolution of the patterns used by the organised crime groups: they are leaving the deep web and using more common tools such as WhatsApp or Telegram. He then talked about the specialised and tailored training that they are working on to swiftly develop and provide training on legislation, good practice and governance, detection investigation, prosecution and sentencing, technical issues and information management. It is meant to create a cross-cutting rapid response and training unit within UNICRI. Moreover, the focus of operational activities is on the following aspects:

Illicit trafficking in precious metals and gemstone

Anti-corruption

Support for applying technology to reinforce security

Rehabilitation and reintegration of violent extremist offenders

Cyber-crime.

The final presentation was delivered by Mr Marco Musumeci (UNICRI) who went into detail about the SIRIO Project. It is meant to understand the technologies that could represent a risk for national security, and those that could be used as tools for achieving national security. It must be noted that there is an increasingly high involvement in the project of the private sector, especially from the technology industry. The project has six different networks: biotechnology, supply chain security, big data, cybersecurity, CBRN management, and artificial intelligence. The pattern used is a three-step process: identification of emerging security risks and threats analysed by UNICRI and discussed with experts; the identification of policy/technology solutions within the technological community; and advocacy, meant as the communication of the results.

Mr David Luna (Luna Global Networks) continued by talking about the application of technology to fight illicit trafficking and complementing existing initiatives. He argued that the multistakeholder approach is essential for facing the current challenges. He focused on the global illicit economy, explaining that the global economic value of counterfeiting and piracy could reach USD$ 2-3 trillion by 2022. Moreover, the financial cost of cybercrime will double in the following years. He finished by noting that to better develop public capacity abilities, it is necessary to understand the landscape of illicit trade and markets. Technology can support governments and the private sector in improving responses to existing threats that harm global security, markets and consumers.

At the beginning of the session, the moderator of the workshop, Ms Jacqueline Eggenschwiler (Member, EURALO Individuals’ Association), asked the audience to use the Mentimeter online tool to express their views on the most engaged stakeholders in the norm-building process.

The word cloud showed the prominence of the tech community, the private sector and civil society. The co-moderator, Ms Tatiana Tropina (Senior Researcher, Max Planck Institute for Foreign and International Criminal Law), noticed that this word cloud reflects people’s aspirations, rather than the real situation.

Dr Wolfgang Kleinwächter (Member, Global Commission for the Stability of Cyberspace)continued by providing background information regarding the history of the emergence of cyber-norms. He noted that strong regulation would stifle innovation and development, but that it is necessary to stick to certain rules in cyberspace. In addition, governments cannot control cyberspace due to their lack of or limited technological knowledge, especially for attribution issues. Government have now ‘opened the door a little bit to the private sector’. However, the negotiation of legally binding norms is the states’ prerogative.

Mr Maarten Botterman (Member, Board of Directors, Internet Corporation for Assigned Names and Numbers (ICANN)) reflected on the role of industry and soft norms. Industry has its own interest to participate in norm-making, thus allowing their market to flourish. In so doing, industry sometimes develops soft norms to keep each other under self-regulation. As for civil society, ‘they may stimulate industry to come to norms, they may stimulate states to come to agreements, but they don't set the norms themselves’.

Mr Christoph Steck (Director Public Policy & Internet, Telefonica)provided several understandings of a norm: 1) Legal norms as regulation; 2) Self-regulation, when a particular stakeholder sets the norms of behaviour and adheres to them; 3) Co-regulation, when a third party (governments for instance) act as supervisors for self-regulating norms; and 4) Security standards for manufacturers and producers.

Ms Nata Goderdzishvili (Head of Legal Department, GeorgianData Exchange Agency) spoke from the government perspective and expressed skepticism regarding Microsoft’s proposal of a Digital Geneva Convention. ‘Big multinational companies can dictate international conventions… of course private companies have a big role in setting and applying specific standards, but it is the states who should agree on [standards]’. She noted that states have made good progress in cyber norm-building despite some failures, such as the UN Group of Governmental Experts (UN GGE) in 2017.

Ms Dominique Lazanski (Public Policy Director, GSMA)highlighted the issue of discrepancy in adopting cyber norms by certain countries, thus leading to a division in ‘western norms’ and ‘non-western norms’, so that ‘two different states are likely to be operating under their separate definitions of norms’. She mentioned, inter alia, the importance of information sharing during cyber-attacks, and the need for multistakeholder participation in the response to and mitigation of the attacks.

One of the recurrent statements made about cybersecurity and the necessity for SMEs to take action in this field was that money spent on the enhancement of cybersecurity should be regarded as an investment, not as an expense. In the near future, investment in cybersecurity will likely amount to CHF 6 billion per annum in Switzerland.

Even though SMEs in Switzerland indicated to be well, or very well, prepared in terms of security, many businesses remain unaware of instances in which they were victims of cyber-attacks. Additionally, Rivière raised the point that according to a Swiss consumer study about who should be responsible for the protection against cyber-threats, up to two thirds of the people surveyed saw the protection of their information against cyber-threats as the responsibility of the company providing the online service.

The general agreement of the panellists was that SMEs in particular have to come up with their own security solutions, and that they should not – and cannot rely solely on state efforts to protect them. This consideration was made in light of the companies’ positions towards the customers with whom they establish a relationship based on trust. Moreover, the required improvements to cybersecurity should not be rushed, but rather introduced gradually. According to Rivière, even though the General Data Protection Regulation (GDPR) was not quite welcomed by many companies, SMEs should quickly come to see it as an opportunity and a chance to improve their capabilities.

On a political level, Maudet, in line with Microsoft CEO Mr Brad Smith’s video message, emphasised that Geneva should become the global capital for cybersecurity, due to its unique position and experience in the policy sphere. Maudet also spoke of the need to create a global agency for digitisation that could potentially operate out of Geneva. The state councillor also identified the lack of political awareness regarding issues related to the digital field, as a risk in the digital age.

Another panel of SME representatives, composed of Mr Nicolas Grange, associate at Grange & Compagnie SA, Mr Olivier Croset, the general director of the Dorier group, and Mr Patrick Schefer, the director of FAE, went on to speak about their experiences with breaches caused by cyber-attacks and online fraud. The common denominator was that state officials and police were largely unable to help, and that solutions had to be found through private means (i.e. cybersecurity firms, lawyers, security departments of banks).

After the SME panel, Ms Lennig Pedron, a cybersecurity expert, demonstrated the hacking of a person’s email account through ‘fishing’ and reiterated the importance of training staff members. This point was largely echoed by the audience, especially considering that, according to Pedron, 80% of all breaches can be traced back to human error.

A third panel presented the position of law enforcement and explained the limited actions they could undertake with regards to cyber-crime. The two panellists were Ms Ioulia Fasola, a criminologist for the Geneva cantonal police, and MR Patrick Ghion, chief of the forensic section of the Swiss federal police.

The closing statement was made by Mr Michael Kleiner, economic development officer at Directorate General for Economic Development, Research and Innovation. He recalled the creation of the Geneva Digital Talks in order to bring the Genevan SME community closer together, to address certain topics related to cybersecurity, and to respond to Brad Smith’s proposal for Geneva to become the cybersecurity hub of the world.

2. To assist the private sector to detect and respond to cyber-attacks on companies’ infrastructure

3. To protect companies from states launching cyber-attacks using the companies’ infrastructure

4. To set up institutions to identify the sources of cyber-attacks

H.E. Monique TG van Daalen, Ambassador Extraordinary and Plenipotentiary Permanent Representative of the Kingdom of Netherlands to the United Nations and other international organisations in Geneva, gave a state perspective on the Digital Geneva Convention. The economies of states rely on the Internet more and more. Highly digitalised countries want to keep the Internet open. The Netherlands wants to enhance security on the Internet through international cyber diplomacy. Van Daalen said that Microsoft efforts are greatly appreciated in the Digital Geneva Convention debate. But Van Daalen pointed out that the name could bring confusion because to some, it could mean that the 1949 Geneva Convention is no longer valid. With regard to the proposed Digital Geneva Convention, Van Daalen expressed appreciations towards Microsoft’s efforts, but noted that it will be a cumbersome process to debate such a convention. He also pointed out that the Netherlands remains committed to the principles that the rights people enjoy offline must also apply online.

Mr Laurent Gisel, Legal advisor at International Committee of the Red Cross (ICRC), highlighted that the ICRC is responsible for the development of international humanitarian law. The ICRC’s wish is to see that emerging issues be captured in international law to reduce suffering, since new weapons in warfare pertain to technology.

Cyber-attacks used today are criminal acts. Cyber warfare is as much of a concern as any attack on humanity. The use of cyber-attacks on transportation systems, hospitals, and other critical infrastructurescan result in great human casualties. Cyber operations can endanger humans, and the ICRC backs Microsoft’s proposal for international law.

Throughout the 2017 edition of the Geneva Peace Week, it became clear that digital technology has important implications for conflict prevention, albeit in two distinct and contradictory ways. Some sessions identified the ways in which digital technology can assist in the prevention of conflict. They highlighted the potential of e-commerce, big data, artificial intelligence (AI), and geographic information systems. Yet, at the other end of the spectrum, there was a focus on the ways in which digital technologies have given rise to increased threats. How to respond to the risk to cyberconflict? What will happen if new technologies, such as big data and AI, are used for the wrong purposes?

Opportunities for conflict prevention

One of the opportunities posed by digital technology is in the realm of e-commerce. With the launch of the e-caravan for peace, the International Trade Centre and the Permanent Mission of Japan showed that e-commerce can advance economic empowerment, including that of women and migrants in conflict situations. Trade in war zones can be a force for good, and e-commerce can allow for the integration of disempowered communities in the economy.

Gaming is another emerging avenue of contribution to conflict prevention. UNITAR presented its recently developed peacekeeping game Mission Zhobia. Throughout the game, skills and knowledge can be developed and tested in the safe environment of a simulated game. By training on issues such as conflict analysis, engaging stakeholders, building trust and adapting to new challenges, the game teaches key competencies for peacebuilding.

Emerging technologies may have extensive potential in untangling the complexity in which conflicts are embedded. Big data could provide real-time, objective information to conflict analyses and early warning systems, and the visualisation of big data could provide clarity on conflict patterns. Geographic information systems and satellite data – which could be considered one of the earliest forms of big data – can provide important insights in early warning systems and the utility of open source-based information was also discussed. Yet big data can be complex, biased and multi-interpretable, and their collection can give rise to data protection concerns that need to be taken into account. AI systems have turned out to be effective in tackling well-defined problems; nonetheless, their utility in complex settings and social contexts has so far remained limited.

Threats to conflict

One of the recurring themes during the Geneva Peace Week was the search for an appropriate response to the risk of cyberconflict. One initiative was brought forward earlier this year by Microsoft’s President Brad Smith, who proposed a Digital Geneva Convention. The utility of such a convention was discussed during one of the roundtables at the opening of the Geneva Peace Week. Discussants agreed that challenges brought by digitalisation require new norms and regulations. However, due to the important role of non-state actors in cyber warfare and the key concerns regarding the responsibility of the private sector, a Digital Geneva Convention might not be able to solve the key issues.

Further building on this topic, the session on Preventing cyber conflicts: Do we need a cyber treaty?, discussed, among other things, whether the existing legal framework is sufficiently equipped to deal with cyber threats. The panellists agreed that any new convention needs to be drafted with the participation of all the stakeholders and that governments need to take action to address vulnerabilities and externalities. Another session tackled a particular cyber challenge – the creation of a safer Internet for children, dealing with the development of a strategy to combat sexual violence against children.

The topic was concluded with a keynote lecture by Smith, who explained the rationale behind the proposed Digital Geneva Convention, relating it to the history of the establishment of the ICRC and the Geneva Conventions. His keynote was followed by a panel discussion with humanitarian and human rights perspectives and comments from the participants and online audience.

Besides the Internet as we know it today, emerging technologies are giving rise to new threats as well. Big data risks leading to mass surveillance and AI could empower lethal autonomous weapons systems. The face of war and conflict prevention will continue to be affected by technology, highlighting the need to continue the discussion on how to mitigate technology threats while promoting technology as a conflict prevention tool.

The roundtable discussion, moderated by Dr Roxana Radu, Manager at the Geneva Internet Platform and Internet Governance Associate at DiploFoundation, was part of the World Café Reception marking the start of the Geneva Peace Week.

Background: The global Internet regulation is in an ambiguous situation. On one hand, international law applies online, including rules on state responsibility, territorial integrity, non-intervention, and self-defence. On the other hand, there is no agreed practice nor rules on how to apply these rules to Internet disputes. The fast-growing cybersecurity challenges require faster action at an international level. Several calls were made by governments (such as those in the UN GGE) and by the private sector to start a discussion around the norms of behaviour in cyberspace. Among the latter was the recent proposal by Microsoft for a Digital Geneva Convention, which should ‘commit governments to avoiding cyber-attacks that target the private sector or critical infrastructure or the use of hacking to steal intellectual property’. According to this proposal, the Geneva humanitarian conventions provide inspiration for considering the tech sector as neutral, similarly to medical personnel in war zones.

Q1. Is a Digital Geneva Convention needed? Will it solve the issues?

There is a need to have rules for applying existing international law to online matters as well as introducing new rules whenever there are gaps. The open question is whether such rules can be introduced by a Digital Geneva Convention. The predominant view was that such an instrument is not realistic to adopt in the current international atmosphere. Some discussants argued that it is not even desirable. Since cybersecurity conflicts are likely to increase, there will be increased pressure to have some solutions at an international level. The session discussed some alternative solutions that could address two challenges: increase the clarity of applying existing international law and introduce new implementation mechanisms. One solution is the so-called Montreux process for the application of international law to private military and security companies present in an armed conflict, which apply existing rules (humanitarian law) via a multistakeholder implementation mechanism.

Courts are likely to fill this lacuna in global digital governance. For example, the Court of Justice of the European Union has created rules on mass-surveillance, the right to be forgotten, and privacy. Courts are applying rules that were formulated 20-25 years back and may not reflect today’s reality. The challenges of digitalisation – exposing all sectors to rapid tech transformations – make it urgent to agree on norms.

The perceived exceptionalism of the tech sector (limited or no regulation) is increasingly challenged and Microsoft’s initiative appears as a pre-emptive move. Many questions arise around the intent of this proposal, the target audience and the substantive provisions. Participants pointed out that many issues are left out of the discussion, in particular questions of bioweapons further powered by digital innovations, excessive collection and control of data for cybersecurity, as well as the responsibility and accountability of the private sector in these discussions. Relatedly, the increasingly asymmetrical nature of cyber warfare and the role of non-state actors were emphasised, raising doubts about the extent to which a Digital Geneva Convention would solve the key issues.

Q2. Geneva is the world’s humanitarian capital. What can the emerging digital policy field learn from the long history of humanitarian protection?

The Geneva Convention established the standards of international law for humanitarian treatment in war, and the International Committee of the Red Cross (a Swiss non-profit association) was founded as the custodian for the strict implementation of the treaties of the Convention. If we are to have a Digital Geneva Convention as proposed by Microsoft, what existing or new international organisation could take on the role of monitoring the implementation of the convention? The tech sector cannot be treated as neutral when it has vested interests and owns the Internet infrastructure. The participants to the roundtable also expressed concern around the uneven rates of Internet penetration around the world and the position of developing countries in the Digital Geneva Convention discussion. The scale and speed of technological developments should be considered in the approach to the convention, which applies in times of cyber-peace rather than cyber-war. Distinguishing between offensive and defensive attacks in cyberspace and adopting a citizen-centred perspective would also be imperative in order to substantiate the debate.

Welcoming attendants, Dr Roxana Radu, Programme manager, Geneva Internet Platform (GIP), introduced the main idea behind the event: to move cybersecurity discussions from an abstract level to a practical, solution-oriented one, away from politicised and ideological angles. This event is part of the Geneva Digital Talks series initiated on 12 October and co-organised by the Canton of Geneva, digitalswitzerland, and the GIP. Several focused discussions are planned in this series, including dedicated events later in the month on peace and jurisdiction. The spirit of these discussions is open and interactive. Co-organising the event, the Geneva Centre for Security Policy (GCSP) shared the vision for the event. Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, GCSP, moderated the first session, focused on current vulnerabilities in cybersecurity.

Mr Martin Dion, Vice President of EMEA Services, Kudelski Security, began by criticising attempts to predict cybersecurity trends. Such predictions, he argued, are based on flawed security reference models, which reflect a lack of understanding within the system. Drawing on three cases (Wannacry/ Petya ransomware; Mirai Botnet; and Equifax/Deloitte breaches), Dion maintained that there is a disconnect between the real problem and how it is perceived. The affected companies spent considerable resources on their security; yet, all attacks could have been avoided by fairly simple measures, such as security patch updates. This, he posited, evinces a cognitive gap. Cybersecurity is conceived as an issue of confidentiality, but is acted upon as a matter of service availability (‘if you have a heart attack, does your privacy matter?’). Inflating the problem, technological solutions continue being developed, to the point of market saturation. However, scientific innovation should not be the main goal. A security system is as strong as its weakest link, and these are its users. To illustrate his provocation, Dion gave one idea and one fact. First, he believes that privacy is ‘an older issue’, since the new, digitally native generation, ‘doesn’t care about privacy’. Second, he stated that there are six times more jobs (90,000) than cybersecurity graduates (15,000) in the United States, his company’s biggest market. These examples, he argued, indicate that we need to address the issue of cybersecurity at its feeblest points: individually and socially.

Ms Päivi Tynninen, Researcher, Threat Intelligence Unit, F-Secure Labs, divided her presentation into three parts. First, she discussed recent supply chain attacks, such as the spy network detected by operation Cloud Hopper, Petya/NotPetya, and the hacking of CCleaner. While explaining Avast’s inability to notice the latter, she noted that since ‘these attacks target organisations through the most vulnerable parts of their supply network, this makes it difficult, even if you are within the industry, to detect threats’. Next, Tynninen assessed the vulnerability of devices connected to the public Internet system, citing the Mirai and ReaperIoT botnets. She also presented original research on information breaches: two-thirds of the stolen data concerned personal information, while the remainder pertained to credit card data. Furthermore, parsing the 30-odd breaches that happened to large companies within the last ten months, Tynninen shared estimates that 90% of them resulted from misconfigurations and years of delayed security updates. Finally, she analysed the issue of spam, observing that, in 2014, it represented two-thirds of the world`s email traffic. She gave as an example spammers’ ability to falsify sender addresses with the John Podesta leaks. Because he responded to a fake Gmail password update request, hackers were able to invade his account. To conclude, Tynninen stated that ‘the Internet is not fit for non-secured services’.

In the ensuing Q&A, speakers were first asked to summarise their recommendations. Dion emphasised the distinction between being a target and being a victim of an attack, extolled netizens to acknowledge their responsibility (and not just their governments’) concerning their security, and proposed that ‘we do the basics’ when it comes to cyber prevention. Likewise, Tynninen also highlighted the need for proper ‘basic hygiene’. She focused on the matters of restricting the upload of unnecessary data and taking the issue of security clearances seriously. Then, the presenters fielded questions on the importance of structural solutions; how regulatory efforts (in particular the EU General Data Protection Regulation) can increase cybersecurity; how big the risk of interstate cyberwar is, and, if the issue cannot be solved immediately, why should society be concerned about it.

The third session of the Geneva Digital Talks (GDT) ‘Preventing Cyber Conflicts: Do We Need a Cyber Treaty?’ was also part of the Geneva Peace Week – a collective action initiative facilitated by the United Nations Office at Geneva (UNOG), the Graduate Institute of International and Development Studies (IHEID), and the Geneva Peacebuilding Platform, in collaboration with the Swiss Confederation.

Dr Jovan Kurbalija, Director of DiploFoundation and Head of the Geneva Internet Platform, welcomed the audience by contextualising the discussion: this event built upon Microsoft president Brad Smith’s call for a Digital Geneva Convention ‘to implement international rules to protect the civilian use of the Internet’.

Dr Eneken Tikk, Senior Advisor at ICT4Peace, launched the panel discussion by stressing that facing existing cybersecurity challenges requires most importantly a mentality shift: technological, legal, and political solutions are ineffective if we fail to keep in mind that such solutions also affect society: ‘peace cannot be indoctrinated but it needs to be discussed as a mentality, as a climate’ – she stated. She further considered that the nature of a possible agreement on cyberconflict needs to be specified. According to her, the discussion should first consider that ‘convention’ as a concept does not simply designate a treaty among states parties, but rather it encompasses a social dimension because after all, it is a social contract. In other words, ‘Do we need a convention? Yes. ‘Do we need a treaty? Not sure’, she affirmed. She further considered that the need for a binding legal agreement depends mostly on whether the existing legal framework is lacking in addressing the issue at stake. The answer to this question requires a cyberconvention feasibility study considering, firstly, the kind of methodology to be chosen (either qualitative or quantitative approach – or both – when current norms are inapplicable) and, secondly, a multidisciplinary approach looking at the different aspects at stake from different points of view (e.g. legal, technical, political) in order to avoid ‘silos-thinking’.

Ms Anne-Marie Buzatu, Deputy Head of the Public-Private Partnerships Division at the Geneva Centre for the Democratic Control of Armed Forces (DCAF) stressed the importance of a multistakeholder approach to the drafting of the convention. As an example, she referred to the Montreaux Document on Private Military and Security Companies signed in 2008 by over 70 countries, upholding the respect of international humanitarian law and human rights law whenever private military and security companies (PMSCs) are present in armed conflicts. Although non-binding, the document is the result of a multistakeholder effort that produced an accountability mechanism through a certification and monitoring process for PMSCs vis-à-vis their relation with governments. She concluded that applied to cyber governance, the ‘Montreaux approach’ would result in ensuring an effective control of all actors involved, i.e. giving governments, information and communications technology (ICT) companies, and users, an equal seat at the discussion table in order to develop codes of conduct and mutual legal assistance agreements.

Dr Richard Hill, independent consultant, concluded the session by considering the vulnerability of the existing computer software used by governments in order to fight terrorism. He warned against the stockpiling of the so-called ‘zero-day exploit’ vulnerabilities by governments, i.e. the time between the discovery of a breach and when it is fixed. For example, the WannaCry ransomware attack originated from leaked NSA stockpile. Hill welcomed Microsoft’s proposal on the grounds that it calls for governments to take action in order to address vulnerabilities and externalities. Joining the previous speakers, Hill praised the need for an agreement but highlighted that this does not necessary entail the need of a new text, because such a convention could be seen as a complement to the existing International Code of Communication of the International Telecommunication Union.

Mr Andy Bates, Executive Director, United Kingdom, Europe, Middle East & Africa, Global Cyber Alliance, introduced the Global Cyber Alliance, and then stated how cybercrime has overtaken normal crime in terms of economic value. Despite the increasing economic risk of cybercrime, he argued that ‘cybercrime is just crime’, pointing out that it is crime adapting to modern tools. In his opinion, the responses should not basically differ too much from the measures taken to address other forms of crime. He highlighted that cybercrime is usually serial in nature, with many criminals potentially using the same vulnerability and being repeat offenders. He discussed the human psychological aspect in the context of phishing and spoofing emails as well as structural issues with the Internet.

He presented a tool called DMARC, which enables individuals and companies to register domains that then establish a handshake between actors to monitor email trustworthiness. In addition, he presented the Internet Immune System, a blacklist given to top level Internet service providers (ISPs) to track pages which contain malware. He argued that ISPs should work towards cleaning up the internet for individuals.

Lastly Bates outlined future scenarios, focussing mostly on the importance of sharing of information across private and public sectors, together with measures that would seek to prevent duplication. In addition to this he mentioned how reporting about cybercrime could be centralised. As a concluding remark he pointed out that individuals need to use common sense and intelligence when addressing cybercrime.

Dr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy (GSCP), gave a presentation which focussed on the issues and trends for future consideration in the field of cybersecurity. Firstly, he stressed that raising awareness needs to be a constant process. Due to its constantly changing nature, cybercrime should be seen as an emerging threat.

Lindstrom’s second point focussed on the key aspects of evolving technology and services which remain beneficial for us but also pose security challenges. He discussed many developments such as cloud computing, as the cloud is an attractive target for attacks. He described how the cloud can be used to hide malware. In addition to cloud computing, he mentioned how big data, through injecting false data, poses security threats in addition to the privacy issues. He also discussed the issue of 3D printing which can be used to circumvent existing measures, while providing potentially dangerous tools. Circumventing existing measures is also a risk posed by distributed ledger technologies. As a final aspect of this, artificial intelligence and machine learning, despite their ground-breaking advantages, run the risk of being misused and compromised.

The Internet of Things (IoT) can provide benefits, but it also opens the door for many new potential threats. Lindstrom pointed out how the shift in states’ cyber defence and offence poses a challenge. He argued that an increasing number of countries have developed capabilities to move from defence to offence, with roughly 30 countries having dual capabilities, but this number is hazy as is the boundary between defence and offence. As such, Lindstrom suggested, offensive cyber operations will likely increase and cyber weapons might be updated at a fast pace, especially in terms of delivery mechanisms. As a final point, while there are differences in state capabilities, all countries will try to seek to utilise zero-day vulnerabilities to their advantage. He then concluded his presentation by pointing out the increasing role of the private sector in the field, which is not only due to financial aspects but also due to the proliferation of public-private partnerships.

As a practical contribution to a more secure Internet, Prof.Adrian Perrig, Computer Science Department, ETH Zurich, presented his team’s work on the ‘Scalability, Control and Isolation on Next-Generation Networks’ (SCION) architecture. He elaborated on his comments on the previous panel, in which he disagreed with other speakers that humans were the weakest link in cybersecurity and emphasised the relevance of sovereignty matters in light of the ability of a few select (state and business) actors to implement kill switches against entire nations. Perrig illustrated his point with the case of the cyberattack Estonia suffered in 2007. In a more recent example, three weeks ago a Google employee in Japan made a mistake. As a result, ‘half of the country was down for 40 minutes’. If even an honest mishap like that can cause a complex Internet structure such as the Japanese to lose half of its digital capabilities, ‘then we have a problem’.

SCION, Perrig maintained, comes to solve this issue. It was built ‘to ensure the creation of areas of sovereignty where external entities cannot access and thereby disrupt connections’. Its basic approach is to use isolation domains, with routing across a number of autonomous systems. Before SCION was launched, the Border Gate Patrol (BGP) protocol was the only one to operate accordingly. Nonetheless, BGP was subjected to attacks such as prefix hijacking, to which SCION is much more resistant. This happens because SCION’s multi-path routing allows users to not only have a greater selection of paths, but also to control them. Moreover, multi-path routing enables users to prevent the transfer of any data packets from networks that are unauthorised by them. So, even when hackers may have all the necessary information on a particular network to launch an attack, they will be unable to do it, unless their network is authorised.

Showcasing the SCION team’s accomplishments, Perrig mentioned ETH’s partnership with SWITCH, the Swiss national research and educational network. Such endeavor allowed other Swiss universities to enjoy the benefits of the architecture. All that is needed is a special router, which can be installed in 5 minutes. SCION’s dedicated visualisation system can be accessed from a machine as straightforward as a Raspberry Pi. Currently, SCION is present in over 40 campuses around the world. In addition, SCIONLab has already shipped another 50 routers to other universities, in Switzerland and abroad. Another landmark is that one Swiss bank has already changed one of its branches’ network to SCION. These developments evince that, not unlike the replacement of regular phones with smartphones, users have begun to perceive the benefits of SCION in comparison with other network architectures.

To conclude, Perrig challenged the reasoning that humans are the weakest link in cybersecurity. To him, only people can make certain decisions regarding technology with political implications. Nonetheless, the issue lies on the fact that ‘if you make it easier, it will be less effective’. Therefore, it is upon experts to adopt solutions that are both secure and user-friendly.

The ensuing Q&A covered topics such as: whether wide-scale adoption of SCION will demand scalar change in Internet architecture (no, the SCION router is all that is needed, Perrig responded); how does Scion differ from a firewall (it is an ‘implicit firewall’); the energetic efficiency of SCION (it spends 5% less than regular networks, despite being more secure); what incentives users of regular networks have to change to SCION (more secure and path-aware network architecture). Lastly, summarising the benefits of the architecture, Perrig compared cyberattacks to weapons such as missiles, positing that their effects on SCION would be as harmful as ‘a squirt gun’.

The moderator, Dr Jovan Kurbalija, Founding Director of DiploFoundation and Head of the Geneva Internet Platform), highlighted the dichotomy between technological and policy fields in the cybersecurity domain. He then moved on to present the speakers.

Prof. Kavé Salamantian, Computer Science Department, University of Savoie and Senior Researcher, Castex Chair of CyberSecurity, IHEDN Paris, spoke about the semantic difference between cyber-strategy and cybersecurity. When people refer to cybersecurity, they are talking about stability and the status quo through maintenance of existing systems. As security is a more exclusive process, he prefers to use the term cyber-strategy, which, in technological terms, seeks to create measures rather than implement them. Professor Salamantian then pointed out the need to reduce the arrogance and lack of respect between the technical and policy fields of cybersecurity. He recommended this be done by increasing multi-disciplinary and other interactions between the fields, while increasing each other’s knowledge about the other’s field.

Prof. Solange Ghernaouti, University of Lausanne, and Director, Swiss Cybersecurity Advisory and Research Group, stressed the importance of multidisciplinary research and teaching. She said that it is important to incorporate social, economic, and wider policy issues related to the technological aspects and vice-versa. Professor Ghernaouti finished by pointing out that the existing problems in funding and organisations should be addressed while also looking at the importance of cybersecurity in the humanitarian field.

Mr Laurent Ferrali, Director, Government and IGO Engagement, Geneva Office, Internet Corporation of Assigned Names and Numbers (ICANN), stated that ICANN seeks to address the issue of silos by translating business and technological language to governments and vice versa. He emphasised that there is a need for better understanding of the big picture in cybersecurity but that, even with better understanding and threat assessment, the individual and technological issues form the weakest links in the cybersecurity chain. As such there needs to be greater awareness and education about wider cyber hygiene, as we will not have full technological solutions until there is an increase in education. He finished by describing how ICANN needs to be developed to increase coordination, and to bridge the gaps between stakeholders.

Prof. Adrian Perrig, Computer Science Department, ETH Zurich, stated that sovereignty remains the central question in terms of ownership of computational technology. He said that private companies have far-reaching powers to change the rules of the Internet. Governments, however, with increasing cyber-offensive capabilities, have ‘indirect kill-switches’. To address these issues, there need to be technological changes as the current encryption used actually enables the existence of kill-switches. Perrig argued that non-technical issues might not in fact be the weakest link because there are technological measures that enable the placing of humans into the centre of coordinated decision-making in a safer ‘neighbourhood’ or environment.

In the lively discussion, the debate ranged from issues of cyber citizenship to blockchain. Salamantian emphasised the need to re-frame the issues around the interactions and connections between the real and the digital worlds. He also pointed out that we need to have kill-switches in case something goes wrong, with which Perrig agreed while advocating the need for transparency and accountability in their governance. He also pointed out that blockchain is not currently a solution to governance because of issues in the logic of majority. Salamantian and Ghernaouti concluded that there remains a need for further governance and regulatory measures as governments increasingly seek to assert control over the Internet.

The moderator then ended the debate after thanking the audience and panellists.

The ICANN60 Annual General Assembly Meeting had several sessions focusing on Domain Name System (DNS) abuse and mitigation. The first two workshops (WS 1 and WS 2), organised by Mr David Piscitello, Vice President, Security and ICT Coordination, ICANN, were held under the theme ‘How It Works: DNS Abuse’. Piscitello’s presentations explained various ways cybercriminals are using DNS fraud, hijacking via phishing, social engineering, and data breaches, and gave examples of the most prominent cases such as Avalanche and how it was tackled. Piscitello underlined challenges faced by law enforcement agencies, such as jurisdiction, lack of common criminal law, and the slowness of Mutual Law Enforcement Assistance, as criminals operate at Internet pace. Addressing privacy concerns as well as security, he pointed to alternatives such as tiered access to personal data. He mentioned another cause of security vulnerabilities: developers repeating their peers’ previous mistakes such as continuing using lax configurations.

The Domain Name Abuse Reporting System (DAAR) which uses public, open, and commercial sources such as DNS Zone data, WHOIS data and reputation blocklist (RBL) was the focus of the ‘Abuse Reporting for Fact-Based Policy Making and Effective Mitigation’ cross community session. DAAR and its planned open data initiative’s goal of ‘providing data to support community, academic, or sponsored research and analysis for informed policy consideration’ was discussed. Mr Rod Rasmussen, incoming chair, Security and Stability Advisory Committee (SSAC), stated that although the technological aspect of abuse (e-mails, browsers, firewalls detecting abuse in seconds) was solved, the policy aspect was not. He mentioned the use of reverse engineering domain name generators and observing the results to identify abusive users. Piscitello underlined this point saying that a system able to identify which policies worked and which did not was needed. The benefits of opening DAAR data to the public were listed as historical trend analysis, flagging registrars who are not responsive to abuse reports, contractual compliance reporting, and providing data for efficient policy making. Ms Tatiana Tropina, cybersecurity expert representing the Non-commercial User Constituency (NCUC), drew attention to the limited mission of ICANN, the dangers of blurring lines between DNS and content abuse, and risks related to self-policing by the domain name industry instead of law enforcement. Another participant stated that the data DAAR will open to the public was aggregate and could not be used for contractual compliance.

Ms Denise Michel, Business Constituency (BC), drew attention to data showing new generic top-level domains (gTLDs) experiencing 10 times higher abuse than legacy gTLDs, and stated that ICANN is planning to introduce a policy addressing this. How abuse reporting can support registries and registrars in their prevention and mitigation efforts was among the key questions discussed.

‘GAC discussion on DNS Abuse Mitigation’ was the final session of the annual meeting related to DNS abuse. Updates and action points of the Public Safety Working Group (PSWG) were presented to government representatives. The implications and possible benefits the DAAR and its planned open data initiative could have for domain names hosting child abuse material were among subjects flagged by Italy, the UK, Iran, and Australia’s GAC representatives.

The launch of the Geneva Digital Talks series – organised by the Canton of Geneva – gathered around 80 representatives from the technical, governmental, business, not-for-profit and academic communities. The speakers included representatives from the Canton of Geneva, the International Committee of the Red Cross (ICRC), the EPFL’s School of Computer and Communication Sciences, Deutor Cyber Security Solutions, the Federal Department of Foreign Affairs (FDFA), the University of Geneva, FONGIT (Geneva's high-tech start-up incubator), and the Geneva Internet Platform (GIP). The key messages of the launch event revolved around the need to understand cybersecurity in a multidisciplinary way.

At the start of the discussions, we were reminded that Geneva is, above all, a platform of dialogue and a place for finding sustainable solutions. Moreover, Geneva has a reputation as an ecosystem for stakeholder engagement, where the digital discussions can be people-focused.

Security is key to modern societies, but it was not originally built into the Internet. Addressing it now is comparable to repairing a plane while flying it. To understand the issue, the discussions followed the journey of an Internet data packet that crosses national borders, that is vital to digital economy and innovation, and is ultimately crucial in high-level negotiations impacting a number of sectors.

The interplay between the Silicon Valley as a place of technological development and social disruption, and Geneva as a constructive, human rights-oriented policy space, set the tone of the discussion. Recent calls from the private sector to advance discussions on a cyber treaty, brought forward the need to have a shared understanding of the vulnerabilities, issues and prospects of cyberspace. If a cyber incident amounts to a kinetic attack, international law applies, but for everything in between, there is a ‘grey zone’, just as there is for a distinction between ‘civilian’ and ‘military’ in digital terms. Previously, key conventions have been negotiated with the involvement of non-state actors in equally sensitive fields, such as the Biological and Toxin Weapons Convention or the Chemical Weapons Convention.

On its journey, the Internet data packet is first tested physically: the integrity and correctness of the code are essential, as there is no bug-free software or liability for software in place. While we are getting better at writing and verifying software in safety-critical applications, trust in the ability of others, who are unknown to us, to fix it is gradually eroding if we can no longer distinguish between good and bad intentions.

To diminish the risks of interference and misuse, the Internet data packet should be protected by a community that understands infrastructure, relevant technology and invests in security. Suggestions were made to eliminate the prevalent ignorance and complacency about security, also distinguishing between IT security and cybersecurity. The latter concerns a criminal network with a goal. Effective co-operation needs to include users (to notify about breaches) and providers (to react to vulnerabilities or breaches) working together. Regulation can also be used as a carrot to incentive and a stick to sanction those who do not comply, thus increasing the overall level of security.

When it comes to the framework for state action, different instruments are currently deployed. In addition to the guidelines provided by the UN Group of Governmental Experts in their 2015 report (11 voluntary norms), international law, and in particular the UN Charter, includes provisions on the use of force, the interference in the domestic affairs of states, the peaceful means to solving conflicts, but also, self-defense. International customary law covers state responsibility, even when using proxies, and due diligence for international wrongful acts that apply to digital space. In international humanitarian law, if the kinetic dimension is reached in cyberattacks, cyber means amount to armed conflict. Moreover, the human rights obligations of states apply online, as they do offline (e.g. freedom of expression). Confidence building measures, such as the ones put forward by the Organisation for Security and Cooperation in Europe (OSCE), represent additional means to strengthen collaboration at the global level. With this multi-layered framework in place, it is important to build awareness and strengthen the capacity of states to understand and apply it before new binding rules are discussed.

When discussing the attribution of risk and responsibility, there is a danger of substantive fragmentation: we have global technologies, but local laws and there is an overlap of regulations and sets of conflicting norms, that may be detrimental or counterproductive. The question here is whether we can move from the Geneva Digital Talks to policies, or even to the Geneva Digital Courts to address the needs of regulators. As the birthplace of international arbitration, Geneva has a unique role to play in the attempt to solve Internet-related disputes.

From a digital economy perspective, the Internet data packet has recently been carrying more and more sensitive records, including health and personal data, or social security information. With the advent of the Internet of Things (IoT), we will move from cyber to digital security in a much broader sense. Every second, 95 passwords are stolen around the world, showing that security by itself is no longer enough. There is a need to move from security by reaction to security by interaction. The Internet giants that operate most online services need to be brought into the conversation about norms, key responsibilities and regulation.

The Geneva Digital Talks will continue with a series of events in the build-up to the Internet Governance Forum. The focus of the GDT will be set on the following aspects, identifying key competencies available in Geneva: technological, legal, social and political.

The objective of the session was to discuss the meaning of digital citizenship; define the level of e-accessibility, obstacles, and risks; and explore issues such as the creation of secure digital identity and of a borderless digital society.

Mr Alex Wellman (Head of Marketing, Estonia Investment Agency), elaborated on Estonia’s e-residency programme, the advantages for business, the benefits from digitalization, and the difference of the initiative from countries providing tax benefits.

Ms Clara Sommier (Analyst, Public Policy & Government Relations, Google) emphasised the importance of accessibility for all in a digital society, along with the openness of the Internet, finding your voice online, and the ability to empower the disadvantaged and get them in the mainstream.

Ms Sandra Särav (PhD candidate at University of Lausanne, Switzerland) stressed that trust is the key to digital citizenship. She also emphasized the need for global citizenship.

Ms Marianne Franklin (PhD, Professor of Global Media and Politics, Goldsmiths University of London, UK and the Co-Chair of the Internet Rights and Principles Coalition at the IGF) noted that migrants, refugees, and asylum seekers need to be considered when discussing citizenship. It is important to define the digital citizen and to understand the issues holistically. She questioned whether digitisation or citizenship comes first. Franklin believes that the design of any digital framework for citizenship is critical and should not be restrictive. She emphasised the importance of design of the systems and the importance of having alternatives in order to avoid overreliance on one system. On the question of cross-border digital citizenship, it is important, she said, for countries to agree on some underlining principles.

To address the issue of digital skills of older people, Mr Haris Kyritsis (Greek Safer Internet Centre youth panel) shared the example of youngsters having digital skills, teaching older generations how to use this platform. Sommier suggested using a blend of online and offline options. Sarav emphasised showing and teaching elders how to use the Internet.

Mr Raed Yakoub (Research Associate at Goldsmiths, University of London) added that there may be different ways in which a group of people may be discriminated against owing to requirements for different identification and authentication documents than the ones they have. He proposed creating e-societies and e-residents as ways to encourage inclusion.

There was also a discussion between Sarav and Wellman on the advantages and disadvantages of having a single identity to stop digital threats.

On the question of the possibility of setting up a scrutinising body to ensure citizen data is not abused by any government, Sarav suggested the need to recognise cross-border interoperable services while Sommier suggested sharing only legitimate data with governments on a case-by-case basis.

Responding to the question of youth participation and their lack of trust in government, Sommier noted that e-participation is important, but that a suitable space needs to be created so that the voice of the youth can be heard. Such an initiative she believes needs to be taken at the political level. Kyritsis believes that digital citizenship can be an option to engage the youth. Franklin added that participation needs to be encouraged in many ways and on many levels. Having youth role models was also a suggestion.

Responding to the question as to what would be the perfect digital society, Sarav suggested the existing one, as there cannot be anything which is perfect; for Kyritsis, it is one where privacy and security issues are addressed; for Sommier it is when the Internet is open and everybody can access it safely. Wellman suggested looking at things from a higher level, while Franklin will be satisfied when citizenship is defined as inclusive participation and success is measured in terms of inclusion of disadvantaged in the society.

Ms Oliana Sula (Lecturer at Faculty of Business, Universiteti "Aleksander Moisiu" Durres) summarised the discussion, stating that the Estonian model can be termed as a best practice. She noted that models need to be customised and there is a need to make different systems more interoperable. Models should define digital citizenship and distinguish it from digital residency as well as define digital inclusion and how to address the disadvantaged to improve digital participation and regulating competition.

Members of the At-Large Advisory Committee (ALAC) and the Regional At-Large Organisations (RALO) leadership discussed policy and process issues related to the At-Large Community, which represents the interests of end-users.

The two-part session was chaired by Mr Alan Greenberg (Chair, ALAC).

Speaking in a private and personal capacity, Mr Göran Marby (Chief Executive Officer and President, ICANN) shared his experience from Sweden regarding the topic of universal connectivity. He gave a short background on Sweden and said that 100 years ago, Sweden was one of the poorest countries in the world, but has since become one of the richest, with a high living standard. Unlike its neighbours, Sweden was not invaded during the Second World War, which means that its industry was not affected by the war. That is when they started manufacturing and doing things together, and the country thrived.

When he worked at the Swedish telecom and postal regulator, Marby's and his team’s main obligation was to provide connectivity. There is a regulation in Sweden that states that everyone must have access to the Internet. By the time he left the post, only 250 households out of 4.5 million lacked connectivity. This was attributed to the Swedish Broadband Forum, which Marby referred to as a ‘turning point’. Participants were encouraged to come up with a strategy for the Domain Name Systems (DNS), IPv6 and other related topics if they were to succeed in universal connectivity. Marby also talked about the Fibre to the village concept, which targeted 280 municipalities. About 170 municipalities funded their own fibre connections and built them themselves. He added that people tend to fund projects or give money when there are benefits. On the issue of spectrum and who it belongs to, he said that they decided that it was an asset to the people, and that its value of that should go back to the people. He said that first, they needed to increase or maintain competition, and second they needed to use it to get coverage. These two points would ensure that they get the money. Currently 80% of Sweden has mobile coverage, the remaining areas which are not covered are places like national parks and reserves. Marby's advice is to do things together, as a joint effort, ‘you have to sit with people and work with them’ in order for the project to succeed.

The meeting went on to discuss the At-Large Summit (ATLAS) III that will take place in March 2019 in Kobe, Japan, during ICANN64. ATLAS is a global general assembly, held once every five years. The first ATLAS was in Mexico City in March 2009, the second was in London in June 2014. Session attendees were tasked with thinking of criteria for selecting participants for the 2019 ATLAS. There were also discussions about the fact that many At-Large Structures (ALSes) seem not to be active, and that there is a need to make them so. Additionally, members agreed that newcomers should be encouraged to participate while other already active participants should get funds to attend the summit.

Mr Patrik Fältström (Chair, Security and Stability Advisory Committee (SSAC)) gave an update of the SSAC's activities. According to its charter, SSAC focuses on advising the ICANN community and Board on matters relating to the security and integrity of the Internet’s naming address allocation systems. Expertise of the committee ranges from addressing and routing, to DNS, DNS Security Extensions (DNSSEC), domain registry/registrar, DNS abuse, etc. Since 2002, the SSAC has produced 97 publications in the form of reports, advisories, and comments. Outreach is a major function of the SSAC.

Currently, the SSAC is looking into name space issues, harmonisation regarding Internationalized Domain Names (IDNs), organisational review – external and internal, and rate limiting issues, among others. Fältström also shared current and future milestones, which include contributions to the Work Stream 2 (WS2) of the Cross Community Working Group on Enhancing ICANN Accountability (CCWG Accountability). WS2 was launched after the Internet Assigned Numbers Authority's (IANA) stewardhip transition, to continue addressing ICANN accountability topics. Work Stream 1 (WS1), finalised before the transition, focused on mechanisms enhancing ICANN accountability, which was required to be in place or committed to, within the time frame of the transition.

Regarding security concerns of end users, especially since At-Large represents the interest of end users, Fältström said that digitalisation of society is happening, things are moving to the cloud, and there is business evolution. These things require Internet Protocol (IP) addresses. He thinks that there is not as much effort being put into building a robust Internet, as there is in building applications and solutions. Fältström finished by saying that DNSSEC is important for ICANN.

Mr Göran Marby, CEO and President, Internet Corporation for Assigned Names and Numbers (ICANN), delivered the final keynote speech of the tenth edition of EuroDIG. Marby reflected back on the time he lived and worked in Tallinn, and said that Estonia has made noteworthy progress since then. According to him, it was the power of the Internet that made the fast positive change over the last twenty years possible.

EuroDIG 2017 brought up the timely discussion on how we use the Internet, reminding us that it is not a natural resource, but one that the whole community has to take care of. In 2016, ICANN and the Internet Society celebrated the twenty-fifth birthday of the Internet and the progress end-users experience today. Marby focused on several points correlated with the discussion during the event.

First, he emphasised that partnerships and the multistakeholder model are at the centre of ICANN’s work and provide for the interobjectivity of the Internet. The Internet needs of one end-user differ from those of another, and only interobjectivity can provide co-operation.

Second, in order to protect this interoperability, Marby stressed the importance of technology and the underlying functionality that enables the operation of the Internet. ‘We are not the Internet, but we are what controls it’, Marby said. In regards to technical operability, he mentioned the importance of the Domain Name System Security Extensions (DNSSEC), and reminded the audience about 11 October 2017 as a milestone for ICANN, when the new Key Signing Key (KSK) rollover will take place.

Third, Marby addressed the negativity surrounding the current discussion on the Internet, and reminded us of its positive sides. ‘The Internet is not done’, Marby noted, and expressed ICANN's goal of connecting an additional 1.5 billion users worldwide with the current 4 billion connected users. In his view, the key for the future of the Internet is recognising the users' local needs. The future Internet will be both local and global, Marby concluded. Lastly, he reminded us once again that the Internet is not a natural resource, and has to be updated, mended, and fixed all the time by the whole community.

The President of Estonia, Ms Kertsi Kaljulaid, started the conference with welcoming remarks.She noted that we are all connected – by optical cables and computers – but mostly by our faith in human development and freedom. We believe in free and fair elections, the rule of law, an independent judiciary, and human rights and freedoms. In modern society, free Internet is fundamental as it affects culture, the economy, communications, governance systems, and international relations.

Nonetheless, security should not be used to restrict the freedom of expression since security and freedom are not mutually exclusive, she emphasised. Securing online interactions is a precondition for enjoying Internet freedom. She gave the example of Estonia which balances between security and freedom through providing a network of public and private e-services based on a secure online identity. The country is also proud to be, as per Freedom House, the first in the world in Internet freedom.

Kaljulaid highlighted that today, much of the world’s commerce and communications pass through the Internet and hence the benefits of e-services outweigh the investment costs to create and maintain them. Estonia provides effective e-services that save 2% of the GDP. In this regard, she further referred to the World Bank 2016 report, which underscored that connectivity does not inevitably result in digital dividends. Digital technology transforms societies if supplemented by policies that support digital adoption.

Finally, she mentioned that Estonia will take EU presidency soon. Their presidency has a strong digital agenda that focuses on strengthening the single digital market, increasing solutions for cross-border e-services, and facilitating strategic discussion among member states as a cybersecurity strategy is expected in 2017.

The President of Lithuania, Ms Dalia Grybauskaite, commenced by noting that digital society is more competitive and democratic because it allows citizens to express their opinions. However, it remains a tool for European integration, and competitiveness depends on the political will to integrate. ‘A lot of people look to us because we should not only lead, but also help other countries. We have many events in this area and we hope that they do not only demonstrate our knowledge but also our willingness to introduce all areas of our life including digitisation and Internet’, she alluded. Europe is used to living in this environment, but it is also realistic about the threats entailed. Such risks should be challenged, not only through military exercises and deterrence, but through developing capacities and being innovative, competitive, integrated and knowledgeable. She finally said that she hoped that the Estonian presidency will take the lead on that.

The final remark was made by Ms Sandra Hoferichter, Secretary General, EuroDIG Association, who provided an overview of the history of the Internet policy dialogue in Europe. In 2008, EuroDIG was one of the first initiatives to discuss Internet governance after the establishment of the global IGF. What started as the idea of ten enthusiastic individuals in a café in Paris, four months later led to a meeting hosted by the Council of Europe, to discuss the potential of this dialogue. Now, there are more than twenty national and regional Internet governance initiatives across Europe, committed to the multistakeholder model.

In her talk, she noted that although many governments in Europe and around the world are committed to multistakeholderism, it is not considered to be the model of the future and forums like this are sometimes questioned vis-à-vis the impact they make. In many parts of the world, legislation is made without consultations with the relevant stakeholders. The digitisation in our life sometimes happens without an option to opt out. Yet, most users do not really see the need to be engaged in Internet governance. It is thus the aim of EuroDIG to raise awareness of the challenges ahead and to facilitate discussions, but not to finalise them. Over the past years, the discussions at EuroDIG focused on the European digital single market and industry 4.0. However, recent developments have shown that some people fear the digital revolution that goes along with the loss of their workplace and privacy. Therefore, ‘we are here looking at the digital future from a different angle, to discuss the promises and pitfalls’, Hoferichter concluded.

The session, moderated by Ms Tatiana Tropina, Max Planck Institute for Foreign and International Criminal Law, and Mr Vladimir Radunović, DiploFoundation, focused on how security threats change the cybersecurity landscape and influence the perceptions and actions of different stakeholders. Tropina instigated the discussion by asking the panellists to pinpoint the cybersecurity challenges in their respective fields.

Ms Sally Wentworth, Vice President of Global Policy Development, Internet Society, provided a global perspective noting that in an increasingly compelled security environment, security could hinder interoperability and lead to potential fragmentation. The importance of laws and norms was emphasised by Ms Marina Kaljurand, Former Foreign Minister of Estonia, Chair of the Global Commission for the Stability of Cyberspace, who explained that governments should lead through a multistakeholder approach. In the same vein, Mr George Jokhadze, Cybercrime Programme Office, Council of Europe, identified key challenges: first, regulations, in terms of drafting new rules and laws but also applying old laws, such as the Convention on Cybercrime; second, awareness of law enforcement agencies and citizens; and third, international co-operation and collaboration with technology companies such as Facebook, Google, Microsoft. On the other hand, Ms Kaja Ciglic, Director, Government Cybersecurity Policy and Strategy, Microsoft, pointed out that the challenges are not specific to Europe, but they are global. On top of them is the security-centred approach, adopted by many governments. Additionally, basic security measures and awareness can help avoid some challenges and create tech-savvy citizens.

Radunović then put forward another question: who should protect cyberspace? The government, industry, technical community, and/or users? Mr Chris Buckridge, RIPE Network Coordination Centre, explained that there is no single answer. The government clearly has a role but they do not have the required technical expertise. This led Tropina to further ask: who should lead the multistakeholder model? She noted that during the CyCon 2017, it was said the governments are mastering cyberspace but not the protection of cyberspace. In response, Kaljurand underscored that cybersecurity is part of national security and hence citizens expect the state to handle that. However, it is a responsibility shared between governments (which have the biggest share), the technical community, industry, and civil society. But governments have to lead since it is the duty of governments to ensure security, the integrity of data, and authentication of people. Wentworth further asserted that leadership depends on the issue at hand. For example, the industry should lead on issues related to innovation and scaling networks to meet future demands.

When the floor was opened for discussion, the audience spoke about the role of government, but also the industry that should provide reliable products, and end-users who should be educated. Some explained that governments have a duty to provide protection and raise awareness. However, it was mentioned that some governments are not trustworthy, as they could represent a threat rather than provide protection.

To address the question of whether technology, regulation, or social contracts/norms can protect cyberspace, Ciglic pointed out that, on the one hand, the fast pace of technology challenges the capacity of governments to provide the necessary protection. On the other hand, security attacks harm businesses and hence more investment in security is important. Building trust in the online environment is therefore important for businesses to operate. Jokhadze added that cybersecurity is not only about protecting citizens, but equally about punishing wrongdoers.

Radunović asked: Do we need more regulations? In reply to this, Wentworth alluded to the possible tools to deal with security. Technology is constantly evolving and policy should also be evolving to address issues as they come up. In addition, consumers should demand security and privacy as their entitled rights. Tropina, however, argued that consumers do not demand security as they look for what is cheapest. Consumers thus need more security raising awareness. Finally, Kaljurand highlighted that experts have provided interpretations of international laws to cyberspace and hence governments have to decide how to take them forward. Ciglic noted that Microsoft has been active in international cybersecurity norms for five years; not focusing on content regulations but on limiting specific sets of government behavior.

Opening the session, co-moderators Mr Dirk Krischenowski, dotBERLIN GmbH & Co. KG, and Ms Maarja Kirtsi, Estonian Internet Foundation/.ee, explained that the discussion will focus on issues related to innovation and competition on the domain name market, especially in the context of new generic top-level domains (gTLDs), launched by the Internet Corporation for Assigned Names and Numbers (ICANN) in 2014.

To kick-start the debates, Krischenowski gave an overview of a study conducted by ICANN on competition, consumer trust, and consumer choice in the domain name market. Some of the main findings of the study: new gTLDs contributed to the growth of the market; the sales channel integrated the new gTLDs quickly and lead to much greater consumer choice; many new registrar operators entered the market, especially in former under-developed markets; the number of registry operators increased by a factor of 60; typical TLDs are niche, targeted, and geographic TLDs. Overall, the New gTLD Program has lead to a dramatic increase in consumer choice, a modest increase in competition, and minimal impact on consumer trust.

Ms Elena Plexida, European Commission (EC), talked about the evaluation and revision process that the EC has launched with regard to the regulations for the .eu TLD. She explained that the .eu TLD was formally established by Regulation 733/2002, while EC Regulation 874/2004 set the rules for the registry and the .eu. The .eu TLD was delegated by ICANN in 2005. As the market has continuously changed, these regulations have become outdated, have generated administrative challenges and need a revision. Issues to be analysed during the evaluation process include: whether the .eu objectives have been achieved (to boost e-commerce and empower end-users to create a European digital identity), the legal separation between registry and registrars, whether the registry should be more active in other Internet governance areas (and how).

Mr Jörg Schweiger, DENIC e.G./.de outlined one issue of concern for the domain name industry: How to make sure that domains do not subsurface, in the sense that they exist from a technical point of view, but users are not really aware of them? The industry has been constantly looking for the ‘killer application’ to address this issue. He pointed out that one way to make domain names more attractive could be to build on the discussions about self-determination, sovereignty, and identity. The main objective of .de now is to retain as many domain names as possible, and that the direction the registry is growing in is not necessarily related to innovation per se, but rather to having a secure domain name space.

Ms Lianna Galstyan, Internet Society Armenia, said that the .am registry never had an objective to have a high number of domain name registrations, but rather, to give the community the possibility to register domain names under .am. The same rationale was also behind the launch of the Armenian Internationalised Domain Name (IDN).

Mr Ardi Jürgens, Zone Media OÜ, pointed out that domain names do not exist in a bubble; they are part of a system which includes resources and applications. A healthy growth in the demand for domain names could result in applications and people using domain names for creating value, either for them or society. In the search for a ‘killer application’, the industry should look at young people and try to find a way to create value for them within the domain name space. Compared to social media platforms, domain names have the main advantage of being under the control of the registrant, and this is something that the industry should try to communicate better.

Mr Andrea Beccalli, ICANN, discussed examples of innovation in the DNS, such as the new gTLDs, the introduction of IDN TLDs, and the DNS Security Extensions (DNSSEC). Even the community work on developing the rules and processes for the New gTLD Program can be seen as a form of innovation. Schweiger, however, argued that the new round of gTLDs does not necessarily means innovation, as it was simply presenting what was on the market already – TLDs. Moreover, most business models surrounding new gTLDs are similar to what had been on the market before their introduction, with only a few exceptions.

Security in the domain name space was mentioned during the discussions as an area that deserves more attention. There are troubling correlations between new gTLDs and ‘innovation in crime’, and there are service providers who have blocked all new gTLDs from their servers due to security concerns. Innovation on the security front should be a priority for new gTLDs. Privacy is also an issue that requires increased attention, as users are more and more demanding in this regard.

The risk of cybersquatting was also raised as an issue of concern for new gTLDs, with regard to the protection of trademarks. It was said that the current protection mechanisms (such as the sunrise period allowing trademark holders to register relevant domain names, and mechanisms for rights enforcement post domain name registration) are helpful, but not sufficient. Such issues are currently analysed within the ICANN framework.

At the end of the session, a point was raised – that it is not actually clear what is innovative in the domain name space, as TLDs have been in place for many years and they are basically the same ‘technology’ or ‘tool’ that they have been since the creation of the DNS.

The objective of the session was to discuss the basic technical concepts which are the building blocks for cybersecurity discussions.

The session was initiated my the moderator, Mr Chris Buckridge, External Relations Manager, RIPE Network Coordination Centre (RIPE NCC), who stressed the need to understand the technical concepts at work in order to understand the building blocks for contributing to the cybersecurity discussions. In addition to the technical community, other stakeholders also need to understand what happens on the Internet and how it happens.

Mr Patrik Fältström, Manager Engineering, Research and Development at Netnod, Stockholm University, elaborated on the meaning of time, noting that the measurement of time is dependent on accuracy and precision. Based on requirement, organisations need to choose between accuracy and precision. He added that time stamps need to be accurate, especially for events happening in distributed systems. While new technologies such as 5G clocks need to be more accurate, there are challenges owing to the differences in time scales, even within the same time-zone.

Answering a question about Galileo, the global navigation satellite system, vis à vis the Global Positioning System (GPS), he clarified that the former is more modern, however it is very similar to the GPS system.

Responding to a question on the Netnod system, Fältström explained that the Netnod system does not allow access from outside, as redundancy is important for resilience when it comes to security issues.

Fältström explained the importance of replaceability, redundancy, and having multi-vendors that are informed on the way the system works. Moreover, consumers should have the option to choose which service or vendor they want to use.

Mr Marco Hogewoning, External Relations Officer – Technical Advisor, RIPE NCC, pointed out that while most people treat cybersecurity as a technical problem, it is much more than that. He added that although technology can secure the systems, there is a cost associated with building the systems and a need for willingness to apply the solutions. He further added that as cybersecurity is a broad subject, it needs the involvement of all stakeholders, even when the solutions are being designed. He further stressed the importance of looking outside the cause and complexity of cybersecurity, for a more simplistic solution.

Hogewoning indicated that laws today are mostly reactive, and it is important to invest in preventive security, educate people, build quality products and pay the price of the product. He went on to say that it is important for people to report cybersecurity breaches, in order for Computer Emergency Response Teams (CERTs) across the world to provide reports which are meaningful and functional and can help in the discussions.

Ms Marjolijn Bonthuis Krijger, ECP, reiterated that while technical skills are important, it is equally important to have knowledge about cybersecurity and teach self, employees, community Members, and young children about it.

Mr Peter Koch, Policy Advisor at DENIC, emphasised the need for standards. While the complexity in standards today leads to challenges in deployment and their misinterpretation, it is important to learn from mistakes and not repeat them.

He further stressed the fact that no software is bug-free today, especially as software has dependencies on the building blocks, which may have bugs that are harder to fix. Even operating system software has an option to review codes, and security software operating systems have been reported to have bugs. It is therefore important for organisations to invest money and manpower to review software in order to fix the bugs. Moreover, there should be an incentive among users to upgrade the existing versions. He also added that security is like an organisation and demands attention, and that the human factor should not be ignored.

One of the paradoxes of data society is that there is not enough data about data society itself. Numbers are used without the necessary rigor. For example, estimates of damage from cybercrime range from tens to hundreds of billions. The volume of e-commerce is also estimated to have a very wide range.

The session on Global Survey of Internet User Perceptions provided a fresh breeze by presenting data from 24 225 Internet users from 24 countries on Internet Security & Trust. This global survey was conducted by the Centre for International Governance Innovation, IPSOS, Internet Society, United Nations Conference on Trade & Development (UNCTAD), International Development Research Center (IDRC).

The presenters summarised the main findings of the survey which led to discussion:

1. There is greater online trust in developing than developed countries

Some argued that developing countries are in an ‘early growth’ phase. Others questioned whether the amount of trust in developing countries is proportional to the lack of information and awareness of risks.

2. There is greater trust in the Internet industry (ISPs, online services) than in governments

The most trustworthy actors are Internet service providers (66%) and online banks (65%). Internet users have least trust in the responsible behaviour of foreign governments (43%).

3. The trust in their governments varies greatly

81% Indonesian survey respondents trust their government to act responsibly online. On the other side of the scope is Mexico, whose government enjoys the trust of only 25% of the survey’s respondents.

4. A lack of security is the main source of distrust

According to the survey, most Internet users do not trust the Internet because it is not secure (65%). The lack of trust is slightly lower when it comes to the reliability of the Internet (40%).

5. Cybercrime is the main concern

6. Changes in online behaviour could lead towards more trust

45% of the survey’s respondents avoid opening emails from unknown e-mail addresses. This is becoming part of the global digital hygiene. Most panellists during the discussions highlighted change in online behaviour as one of the main ways towards increasing both security and trust on the Internet. For ISOC, increasing the cybersecurity culture is one of cornerstones of the concept of collaborative security. The survey shows particularly noticeable changes in online behaviour in Latin America.

7. Economic patriotism online

Internet users prefer to buy goods and services from their own country even if they have a chance to buy them from abroad via e-commerce platforms.

8. Digital policy

The survey identifies the following issues as the main concern for Internet users: consumer protection, protection of data privacy, and protection against cybercrime. The discussion focused on two ways for strengthening digital policy space: government regulation and ‘policy by design’. For example, an Internet Society representative argued that privacy-by-design, in particular encryption, could be a solution for data protection and privacy.

This session addressed the concern over the rise of cybercrime and its consequences for privacy and security online, as well as the resulting lack of trust among consumers and governments to adopt digital technology. The topic was introduced by the moderator, MsCécile Barayre, Economic Affairs Officer at UNCTAD, who stressed the transformational nature of e-commerce, generating both opportunities and challenges.

Barayre then went on to introduce H.E. Ms Rahman Ahmad Khan, Minister of State for Information Technology and Telecom, Pakistan, who outlined some of the critically important areas for addressing cybercrime:

Looking at enhanced co-operation between states and other stakeholders.

Building consensus around agreed international protocols that ensure the realisation of an open, secure, and reliable cyberspace.

Implementing capacity building for countries that lack expertise.

According to Ahmad Khan, users must have the same rights and protection online as they do offline in order for user trust to be restored.

Next, Prof. Ian Walden, Queen Mary University of London, addressed the legal aspects of responding to cybercrime. For state response to be effective, there needs to be a harmonisation of criminal justice systems, for example around the Council of Europe’s Budapest Convention, and criminal justice relations need to be regulated in such a way as to enable the co-operation between law enforcement agencies. Policing cyberspace should focus on prevention and disruption, rather than prosecution, and needs to happen in collaboration with third parties, such as service providers and the Internet industry. Effective cybersecurity strategies need to address prevention and cultural shifts to change the culture of insecurity. Finally, legal and regulatory responses should include criminalising conduct, enhancing law enforcement powers (while taking into account the need to safeguard privacy rights), and putting into place cybersecurity frameworks that include prevention and permit active defence.

With a view from the private sector, MrYuejin Du, Vice-President of Alibaba Security, outlined the key cybersecurity challenges:

Technological challenges: loopholes can never be fixed and the number of vulnerabilities are countless.

Human challenges: the weakest link is always there.

Opponents are big, organised, advanced, and globalised actors.

To combat these challenges, Du provided several examples of the technological measures taken by Alibaba Security, as well as its efforts to build a ‘security alliance’ with other actors in the e-commerce ecosystem. Finally, co-operation with law enforcement is inevitable.

Zooming in on one solution against cybercrime, Prof. Nir Kshetri, Bryan School of Business and Economics, University of North Carolina, explained the role of blockchains in strengthening security of the Internet of Things. He compared the potential of blockchains with cloud-based services, and highlighted their decentralisation as a particular advantage. Another solution was provided by Mr David Satola, Lead ICT Counsel, World Bank, who introduced a portal for capacity building for emerging countries, available at www.combattingcybercrime.org. Its aim is to enhance the capacity in developing countries of the policy, legal, and criminal justice aspects of building an enabling environment to combat cybercrime. The portal consists of a toolkit, an assessment tool, and a virtual library. Mr Gustav Lindstrom, Head of the Emerging Security Challenges Programme, Geneva Centre for Security Policy, presented a similar project: the National Cybersecurity Strategy (NCS) Guide. This project is spearheaded by the ITU in collaboration with 14 partners from different sectors, and aims to produce a reference guide for developing and implementing a national cybersecurity strategy. The guide covers the overarching principles of a NCS, an overview of good practices, and a practical guide for the strategy formulation process.

Finally, Ms Marilia Maciel, Digital Policy Senior Researcher, DiploFoundation, presented the trends, challenges and opportunities of capacity development in cybersecurity. First, she highlighted the changing social context in which individuals and societies are becoming cyber-dependent. As digital services become increasingly complex, complete security will never be possible and risk will always be present. Therefore, it is key to make the environment around cybercrime more secure. She pointed at the surging number of bilateral agreements on cybersecurity, as well as some of the multilateral instruments in place, which all refer to the need for capacity building.

She then presented a number of lessons learned from DipoFoundation’s capacity development initiatives:

Capacity development needs to reflect the multidisciplinarity of the topic.

Capacity development needs to allow for knowledge-sharing across professional cultures.

There are extensive gaps in capacity building in different regions and among different stakeholders. This can be overcome by frameworks for regional co-operation, and by involving different sectors.

The eleventh Symposium of the Future Networked Car took place on 9 March 2017, during the 87th edition of the Geneva International Motor Show. The Symposium was jointly organised by the International Telecommunication Union (ITU) and the United Nations Economic Commission for Europe (UNECE). The main objective of the event was to offer a platform for a fruitful discussion among different stakeholders – vehicle manufacturers, governments and Information and Communications Technology (ICT) industries – on the future of vehicle communication and automated driving.

The session started with opening remarks from Mr Malcolm Johnson, Vice Secretary-General at the ITU, who stressed the importance of bringing together multiple stakeholders in order to foster technological innovation. In particular, he underlined the crucial role of the ITU as a UN-mandated agency that has successfully brought together and facilitated the convergence between two communities: industry and ICT sectors. The Symposium has seen growing participation in the last years, and has attracted more than 170 participants in 2017.

Ms Eva Molnar, Director of the Sustainable Transport Division of UNECE, joined Mr Johnson in stressing the importance of co-operation, not only between different industry sectors, but also between different agencies – as is the case with the ITU and UNECE. In particular, her speech approached vehicle automation from a regulatory perspective: she reasoned on the relevance of the existing legal conventions vis-à-vis the latest technological changes and pushed for the development of harmonised regulations.

The event comprised five thematic panels, each discussing a specific aspect of vehicle automation.

The Executive Roundtable reflected on the advantages and challenges that automatic driving will bring to individuals and societies once such technology is spread on a larger scale. All speakers talked about the necessity of harmonising the standards regulating such technology among different countries.

In particular, Mr Anders Eugensson, Director of the Governmental Affairs Department at Volvo Car Group, analysed the benefits of automated driving for individuals in terms of costs, liability and accuracy of data. With the development of such technology, customers would purchase automated driving packages that would cost less than a car. Moreover, he considered that cars will operate autonomously, and, in case of accidents, the responsibility would not rely directly on customers. Finally, thanks to cloud connectivity technology, the data available to the car system will be more accurate.

The Second Panel reflected on the benefits of fifth generation mobile networks or wireless systems (5G) for the development of automated driving. The speakers agreed on the crucial role of 5G technology for automated vehicles, especially in terms of connectivity and communication among units. Mr Peter Vermaat, Chair of the Connected Vehicle Working Group at the Wireless World Research Forum, considered that as opposed to a cloud computing type of connectivity (i.e. storing and accessing data over the Internet), Peer-to-Peer (P2P) computing (interconnected communication among peers, i.e. automated vehicles) allows for increased safety and improved efficiency of communication, and reduces the need for infrastructures.

The Third Panel discussed how Artificial Intelligence (AI) will change current transport systems. All the speakers built their discussions on the benefits of automated driving discussed by the previous panellists. Furthermore, they focused mainly on the possible risks to individuals from the deployment of AI. They assessed such risks in terms of security (protection from cyber-attacks), personal data protection (privacy concerns) and social economic externalities (loss of jobs in the car industry or transportation sectors).

The Fourth Panel focused on the relationship between connected vehicles and automated driving. The panellists discussed the co-dependency of connectivity and automated driving: having accurate communication systems among vehicles is crucial for the development of automated driving systems on a larger scale. David Holecek, Director of the Connected Products and Services Division at Volvo Car Group, concluded that connectivity, autonomous driving and AI are the cornerstones that will develop the concept of fully autonomous cars rather than autonomous driving in the future.

The Fifth Panel concluded the session by focusing on the cybersecurity threats to automotive systems. The speakers discussed the consequences that connectivity has in terms of individuals’ security in particular. Based on an interconnected system, automated vehicles operate in a constantly-hostile environment, susceptible to hackers’ attacks, resulting in financial cyber ransom, car theft and loss of control over the vehicle.

The 47th WEF Annual Meeting, which took place in Davos-Klosters, Switzerland, on 17‒20 January, brought together leaders from across business, government, international organisations, academia, and civil society, to discuss several digital policy issues.

The future of the digital economy was an overarching theme for many sessions, exploring aspects such as the digital transformation of industries, the fourth industrial revolution and its implications (in areas such as gender equality and jobs), steps for shaping national digital strategies, the need for shared norms and rules for the digital economy, and trust-based collaboration among stakeholders. Security and crime in the digital era were part of the discussions, with a focus on multistakeholder approaches for tackling cybercrime, the cyber resilience of critical infrastructures, cyberwar and forms of manifestation, and terrorism in the digital age. During the meeting, WEF launched a report on Advancing Cyber Resilience: Principles and Tools for Boards. Prepared in collaboration with the Boston Consulting Group and Hewlett Packard Enterprises, the report outlines a series of principles and tools for companies to tackle cybersecurity risks and ensure the resilience of their information infrastructures.

The advancements in the field of Internet of Things (IoT) and artificial intelligence (AI) were also looked at during this year's WEF meeting, as participants explored policy implications and outlined the need for principles and standards to ensure that IoT and AI products bring benefits to society as a whole, while minimising the risks (in areas such as social inclusion, privacy, and security). Trustworthy online information, a topic that has attracted a lot of attention lately, was also discussed, with a focus on possible modalities for balancing freedom of expression with the need to educate users on how to differentiate between real and misinformation.

In addition to contributing thir views to these and many other discussion tracks, WEF participants used the meeting as an opportunity to launch new initiatives and agree on future actions. In one such example, major financial service providers (e.g. Mastercard, Visa, and Paypal), global IT and telecom companies (e.g. Ericsson and GSMA), and intergovernmental organisations (e.g. the United Nations Development Program and the United Nations High Commissioner for Refugees) agreed on six principles on public-private cooperation aimed at facilitating digital cash payments in crisis-affected populations.

As has been the case at many other high-level events recently, the Agenda for Sustainable Development also featured high in Davos. On a more general level, world leaders discussed the challenges of globalisation and the increasing anti-globalisation trends. Many of the debates revolved around the need to identify modalities for reforming the governance of globalisation processes, with a view to improving them and making them better suited to contribute to global growth and development.

The 2017 United Nations Office at Geneva (UNOG) and the Geneva Centre for the Democratic Control of Armed Forces (DCAF) seminar discussed the topic of Violent Extremism Online – A Challenge to Peace and Security. The three-hour session started with an introduction by Mr Michael Møller, Director General of UNOG concerning the importance of eradicating violent extremism online as a challenge for peace and security. As he indicated, the risk to further violence arises and the Internet needs to be protected from terrorist attacks. He also mentioned the crucial role of the next Internet Governance Forum (IGF), to be held in Geneva in December 2017, in the fight against violent extremism online which would be, as he stated, ‘a major opportunity to tackle the issue in the International Geneva’.

Mr Adam Deen, Senior Researcher and Head of Outreach at the Quilliam Foundation, the first speaker of the session, focused his presentation on the ideology and the underlying reasons which led to the creation of the Islamic State (ISIS). As a former member of an Islamist extremist organisation himself who utilised universities for recruitment, he perceives the creation of ISIS as a logical result of 20 years of hidden groupings all over the world which today broadly use the Internet for the recruiting process. He also considers that the use of the Internet for recruitment purposes is a strong advantage for terrorists, given its anonymity, its interactivity which spreads contagious ideas faster, its accessibility, and, most importantly, its inexpensive fees.

Deen underlined the strong power of online interactivity which helps terrorists to easily provide their own religious instruction, reports from battles, interpersonal communications, threats against western countries, and pictures of the daily life of a terrorist with the aim of normalising them and creating a sense of belonging and camaraderie. According to research carried out by the Quilliam Foundation, approximately 1000 pieces of media content are provided each month by ISIS. He added that most of the content focuses on mercy, redemption, and camaraderie, notions that are already strongly present within the Muslim community and exploited by ISIS through personal grievances used to manipulate the recruits and increase the sense of belonging. He regrets that the interactivity as such also contributes to a form of clustered discourse which leads to extremism, since there is no time given for debate and for ideas to evolve.

One of the main highlights of Deen’s speech concerned the dehumanisation of the victims which, as he stated, is also part of the ideology supported by ISIS. He explained that the ideology as such creates a barrier between believers and non-believers and rationalises the violence. In his opinion, this facilitates the preparation of attacks and eradicates a possible mutual coexistence between believers and non-believers since the recruits do not see themselves as part of a society as a whole but as part of a transnational community that stands out from the rest of the world.

Deen’s speech also focused on the concept of pre-propaganda, which in his opinion forms the root of the extremism we face today and the main reason behind the creation of ISIS. In his own words, ‘ISIS did not create extremism, extremism created ISIS.’ He said we cannot count on the disappearance of ISIS to put an end to the ideology. In his opinion, the ideology as such needs to be made irrelevant or obsolete.

For the second part of the session, the panel on Violent Extremism Online was moderated by Ms Anne-Marie Buzatu, Deputy Head of Public-Private Partnerships Division at DCAF, who underlined the importance of practical solutions to put an end to the development of ISIS and violent extremism online.

Ambassador Kok Jwee Foo from the Permanent Mission of Singapore to Geneva stated that we live in a fragmented world which also allows the establishment of sophisticated and violent transnational communities such as ISIS to propagate a message and pursue a political goal. He added that Singapore has also been confronted by recruits willing to join ISIS and underlined that the battle against ISIS concerns everyone and needs to be addressed by multiple stakeholders. Part of his speech focused on the diversity of Singapore and the need to establish concrete policies to preserve the common space and to ensure an openness to all religions. He stressed that efforts at deepening multi-racial and multi-religious harmony is a never-ending endeavour.

In an effort to ensure inclusion and counter extremism, two policies have been established in Singapore. The Religious Rehabilitation Group (RGG) was launched in April 2003 by the Muslim community and academics to combat misinterpretations promoted by self-radicalised individuals and those in support of ISIS through media content. SG Secure is an initiative put in place by the Ministry of Home Affairs to promote community vigilance, cohesion, and resilience against global terrorism on the rise and to apply concrete measures. One of these measures consists of visiting every single home in Singapore to raise awareness of security and to encourage families to participate in this programme. Ambassador Foo concluded by underlining the importance of such policies and the need to find the right balance between security, freedom of expression, and international cohesion.

The second panellist, Mr Adam Hadley, Project researcher and associate at the ICT4Peace Foundation, presented an overview of the foundation’s activities, findings, and recommendations on counter terrorism. As part of its activities in 2016, phase one analysed threats regarding the use of technology by terrorists and scoped out practical measures. Three global workshops were organised to include various stakeholders from the private and public sectors. The outcome report, published in December 2016, entitled Private Sector Engagement in Responding to the Use of the Internet and ICT for Terrorist Purposes, provides an overview of the current threat assessments, emerging or potential threats, and responses from technology companies involved in several initiatives such as the Global Network Initiative (GNI) based on United Nation and human rights principles. The initiative targets four areas in particular: development of guidance systems, building of training capability and legal teams, cooperation with Internet referral units (IRUs), and investment in counter narrative to support civil society.

Another important point in Hadley’s speech concerned the active role of technology companies such as Facebook, Microsoft, and Twitter which publish transparency reports and deliver information about requests for the takedown of online content from governments all around the world. He also stressed the urgent need to create frameworks respecting human rights and mentioned some concerns about the legitimacy of the private sector and the capacity of small companies to develop policies to challenge the use of the Internet by terrorists.

Several recommendations have been established by the ICT4Peace Foundation including the will to build on existing initiatives, to support dialogue regarding a normative framework through a multistakeholder approach, to encourage coordination, to establish global knowledge sharing and a capacity-building platform focused on policy and practice, to build the capacity of small tech companies, to support data-driven research on effectiveness, and to promote digital literacy. The conclusion of the speech focused on the foundation’s plans for 2017 which provide the inclusion of more multistakeholders in the fight against violent extremism online and the establishment of a platform which aims to share global knowledge on emerging practices, norms, standards, and policies that have been developed on the subject matter.

The final speaker, Mr Mark Stephens, International Human Rights Advocate, CBE, and Independent Chair of the Board of Directors of the GNI, presented the work of the GNI which brings together ICT companies and investors willing to forge a common approach to freedom of expression online. The GNI focuses on two elementary human rights - freedom of expression and the right to privacy - principles that are designed to protect citizens and to prevent any serious consequences of a breach of these rights. Stephens added that one of the GNI’s main concerns is the impact of laws which would tend towards improper protection of freedom of expression. This concern led to the development of various recommendations from the GNI regarding consistency with human rights norms that governments should respect, including the fact that human rights’ restrictions should be established in a clear and precise law that is proportionate and necessary. He added that governments should not impose liability on intermediaries.

In the second part of his speech, Stephens stressed the role of ICT companies and the fact that most of them are more restrictive and efficient in their policies than parliaments are in their laws. He concluded by stating that the true challenge is that the issue at stake is larger than companies or governments; this also underlines a need for international cooperation between stakeholders in the protection of essential rights such as freedom of expression and the right to privacy.

The panel discussion was followed by a Q&A on the proper use of terms such as ‘Islamic’ which can be misused, the role of different stakeholders in the fight against ISIS, and the importance of tackling the issue with concrete measures to promote tolerance and coexistence between religions.

Other resources

The handbook, structured around 10 major challenges in big data security and privacy, gives an overview of best practices that should be followed by big data service providers to fortify their infrastructures. Each of the 100 best practices presented, an explanation is given on why the practice should be followed and how it can be implemented.

The set of guidelines contain recommendations on how to mitigate security threats and weaknesses in Internet of Things services. It includes guidelines for service ecosystems, endpoint ecosystems, and network operators.

The document provides guidelines for public and private organisations when plannins and organising the selection and validation of smart city technologies. It describes the types of testing and assessments to consider in order to select the most secure vendors and technologies.

The document provides guidance for the secure implementation of Internet of Things (IoT)-based systems. It provides an overview of IoT security challenges threats to individuals and organisations, and outlines several security control mechanisms that could be used to mitigate such challenges and threats.

A series of best practices and white papers produced by the Messaging Malware Mobile Anti-Abuse Working Group, and aimed at providing the technology industry, as well as users, with recommendations and background information to improve messaging security and address online, mobile, and telephony threats such as spam, malware, etc.

The role of the technical community and the private sector was outlined in assisting the implementations of cyber-norms and confidence-building measures by the UN, regional organisations, and governments. While the IGF was seen as the place to encounter all stakeholders, and the proposal made that a dedicated (possibly even main) session is scheduled at IGF 2017, it was suggested that the Internet governance community meets the security community within the framework of the Global Conference on Cyber Space (GCCS) in 2017, with support of the Global Forum on Cyber Expertise - GFCE (NetGov, Please Meet Cybernorms. Opening the debate - WS132).

WSIS Forum 2016 Report

As the demands of ICT-related SDGs need to be met with capacity-building initiatives, cybersecurity was identified as one of the eight core digital skills people need in the twenty-first century. Internet Governance, Security, Privacy and the Ethical Dimension of ICTs in 2030 (session 150) suggested that the interpretation of vast amounts of information and big data that Internet of Things (IoT) will bring could result in an innovative multi-trillion-dollar economy. Examples of solutions that can both boost the economy and increase security were raised in From Cybersecurity to ‘Cyber’ Safety and Security (session 172); these included the use of social media for managing disasters.

When it comes to practical suggestions for improving cooperation in cybersecurity, panellists of session 120 also suggested cooperation in incident response that can include both compulsory and voluntary reporting on cyber-incidents. Session 170 on The Contribution IFIP IP3 Makes to WSIS SDGs, with an Emphasis on Providing Trustworthy ICT Infrastructure and Services invited companies to invest more in education, professionalism, and security. Providing good quality legal and technical information and data to decision-makers was added to the list of suggested measures by the discussants of session 172.

Various emerging risks were also discussed in several sessions. Session 172 raised concerns about the emerging face of terrorism which increasingly uses new technologies including commercial drones.

Session 150 warned that big data should be accompanied by ‘big judgment’ and awareness of communities of the risks of ‘uberveillance’ - becoming possible due to brain-to-computer interfaces (BCIs) and and sub-dermal implants - that can have an irreversible impact on society. On the other hand, session 120 commented on encryption as a useful concept that can enhance individual security, and suggested that law enforcement agencies can benefit greatly from other digital evidence.

IGF 2015 Report

With a rise in cybercrime and a sharper focus on cybersecurity by policymakers worldwide, it is no surprise that the issue was discussed at great length during the IGF 2015. Cyberattacks, which are on the rise and are evolving with the growth in infrastructure, mobile money transfers, and social media, affect the economic growth and sustainable development of many countries. The real economic cost of cyberattacks is considerable. However, as the discussion during Managing Security Risks for Sustainable Development (WS 160) concluded, it was hard to identify and calculate the cost of each cyberattack due to multiple tangible and intangible effects, with one of the consequences being the limited availability of global statistics on cyberattacks.

With regard to cybersecurity strategies, the speakers made reference to the OECD’s recommendation on Digital Security Risk Management for Economic and Social Prosperity which seeks to ensure that risk management is considered an important facet when decisions are made on digital issues. They said, however, that existing cybersecurity strategies are too focused on technology and are missing the human element. In Commonwealth Approach on National Cybersecurity Strategies (WS 131), the speakers agreed that cybersecurity should be tackled by governments in partnership with the private sector, regulators, and other governments. It requires legal frameworks, the use of technology to enforce cybersecurity, harmonisation of regional laws, and cooperation among states to tackle cross-border cybercrime.

The issue of trust (as well as other issues, such as privacy and freedom of expression, which are discussed below) was a main theme that intersected with security. Discussed predominantly during the main session dedicated to Enhancing Cybersecurity and Building Digital Trust, the panel agreed that multistakeholder approaches and private-public partnerships should be used to address the challenges. ‘If you want total security, go to prison’, said one panellist. On the other hand, surveillance and censorship cannot be used to justify cybersecurity. Surprisingly, a panellist in Cybersecurity, Human Rights and Internet Business Triangle (WS 172) revealed that 80% of actionable intelligence comes from publically available resources.

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee

GIP Digital Watch is operated by

GIP Digital Watch

Submit Content

The GIP Digital Watch observatory reflects on a wide variety of themes and actors involved in global digital policy and Internet governance. We welcome information and documents from your organisations. Submitted content will be reviewed and published by our team of knowledge curators.
You can submit your content at digitalwatch@diplomacy.edu